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Why do all ten of the leading aerospace companies depend on Digital for an entire univers( 
we deliver. In everything from Windows NT and UNIX, to the Internet and beyond. Find us a 
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Introducing Cheyenne ARCserve 6 for Windows NT. 


With more than 600,000 satisfied customers, Cheyenne 
is the undisputed leader in LAN backup.* And with the 
introduction of ARCserve 6 for Windows NT, we’re set¬ 
ting a new standard for performance, reliability, and 
automation in Microsoft Windows NT backup. 
Unmatched performance: With our new Image Backup 
and Tape RAID options, ARCserve 6 achieves blistering 
speeds ~ greater than 40 GB per hour. 

Mainframe-class media handling: 

Your enterprise needs it; ARCserve 6 
Designed for has With automated 
tape rotation, labeling, 
and management that 
Microsoft no other backup prod- 
BackOffice" net can match. 


CHEYENNE FREECALL 



Revolutionary disaster recovery: MlCrC 

ARCserve 6 keeps downtime to a - 

minimum, with the only solution that 
allows you to restore servers quickly ~ 
without reinstalling the OS or applications. 

Windows NT 4.0 support: ARCserve 6 is the first backup 
solution to leverage the strength of the Windows NT 4.0 
interface, and perform full and partial backup/restore of the 
Windows NT Registry. 

So if you’re looking for the new 
standard in backup for 
Windows NT, look to 
Cheyenne ARCserve 6. 

Other solutions are 
simply not an option. 


cheyeKne 


Expect nothing less. 


Freecall: 1-800-635-519 • www.cheyenne.com • Freefax: 1-800-622-163 


k and BackOffice and the BackOffice logo are tradema 
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news beat - Victorian Electoral Commission picks NT 5.0: Microsoft announces 
new DNA software and COM+; local company releases an 'ultra -thin client solution 
product watch - speculation over Intel buying Digital Alpha technology: an NT version of 
Novell's Network Directory Services: Microsoft to put 128-bit encryption in new products 


Real Secure 1.0 - A must have package for any serious network environment 
Omniguard/ESM 4.4 - An invaluable multiplatform security monitoring system 
Frontpage 98 - A Web authoring tool designed for beginners and experts alike 
EnVista Frontline Server - Three new enterprise systems for the NT market 
that can work in a cluster or independently 
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Kerberos is on guard in Windows NT 5.0 - the new security protocol using a three-sided authentication process 
security beyond service packs - how to protect your NT network without relying on the latest service packs 
maintaining secure Exchange servers - the essential aspects of security within an Exchange environment 
set sail for unchartered NT performance - discover new levels of systems performance for Windows NT 
profile - Microsoft - Eugenio Beaufrand 

publishing with Windows NT - how Windows NT is pursuing this previously Macintosh dominated domain 
Oracle for NT - a Q & A providing tips for using Oracle effectively 
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advanced WINS features - including push and pull partners, security and proxy servers 
inside on-access virus scanners - building functionality with the system file drivers 
connecting web clients to Exchange - how to access your mailbox from your Web browser 
Q & A - how to troubleshoot and use Windows NT's Directory Replicator service and the 
difference in using WINS and LMHOSTS on networks and for browsing capabilities 
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OFTEN, NOTHING COSTS YOU MORE 
THAN A SERVER CRASH. 




















NOW SUPERIOR SERVER PROTECTION 
COSTS YOU NEXT TO NOTHING. 




NOW AWARD-WINNING APC PROTECTION COMES STANDARD WITH THESE SYSTEMS. 



DEPARTMENTAL SERVER 


DELL POWEREDGE 4200 SERVER 

* Smart-UPS® 1400 from APC 

Intel 300MHz Pentium® II Processor 
(Dual Processor Capable) 

* Free PowerChute® Plus Software 

• 64MB EDO ECC Memory (512MB Max) 

★ Optional SmartSlot(tm) Power 
Management Accessories 

• 512KB Dedicated 12 Cache 

• 3 Year Limited Warrantyt with 1 Year 

• 2 Integrated Ultra SCSI-3 Hard Drive 

of NBD On-siteA Service 

• 8x SCSI CD-ROM Drive 

• Upgrades to 4 hour 

• Intel Pro/1 OOB PCI Ethernet Adapter 

• 8 Expansion Slots: 5 PCI, 3 EISA 

On-site Service Available 

• 10 Drive Bays: 6 Hat Swap Hard Drive, 

4 Removable Media 

$ 10675 ***, 


ENTERPRISE SERVER 


DELL POWEREDGE 6100 SERVER 

2 x 200MHz Pentium® Pro Processors 
(Quad Processor Capable) 

• 128MB ECC Memory 14GB Max) 

• 512KB Integrated L2 Cache 
per Processor 

• 2 Integrated Ultra/Wide SCSI-3 
Controllers 

• 2x 4GB Ultra/Wide SCSI-3 Hard Drives 

• 8X SCSI CD-ROM Drive 

• Intel Pro/1 OOB PCI Ethernet Adapter 

• 10 Expansion Slots: 6 PCI. 4 EISA 

• 10 Drive Bays: 6 Hard Drive, 

4 Removable Media 


• Redundant Hot-Swap Power Supplies 

★ Smart-UPS® 1400 from APC 

* Free PowerChute® Plus Software 

★ Optional SmartSlot™ Power 
Management Accessories 

• 3 Years of NBD On-siteA Service/ 
On-site Setup and Validation 

• Upgrades to 4 hour 
On-site Service Available 

$ 21730 *,*» 


Given everything that’s riding on your company's servers, 
crash protection is something you can't afford to be without. 
Which is why every Dell PowerEdge Server comes with the 
industry-standard features you've come to expect. And since 
45%# of all data loss is a result of bad power, we've just 
done something to bolster our award-winning reliability. We 
have worked with APC, the industry leader in power 
protection with over 8 million satisfied customers and a 
host of awards. Which means you'll find APC protection 
available across the entire line of PowerEdge servers. So 
choose your Dell PowerEdge. For high-end reliability there's 
the Dell PowerEdge 6100, loaded with redundant cooling 
fans, ECC memory, hot-pluggable drives and the Smart-UPS 
1400 with optional SmartSlot Power Management 
accessories. Or choose the Dell PowerEdge 4200, which also 
comes with APC Smart-UPS, a recent recipient of PC 
Magazine's Editors' Choice Award n . Or choose the Dell 
PowerEdge 2200. Whichever you choose, two features 
remain consistent: reliability and value. Things no business 
can afford to overlook. 

D«U 

1 800 81 1 032 

www.dell.com/apcc/ 

Mon - Fri 8am - 8pm 

•Delivery not included. tFor a complete understanding of our Guarantees or Limited 
warranties, please phone your Dell consultant. AOn-site service provided by an independent 
third-party provider. May not be available in some remote areas. Intel Inside, Pentium, Pentium 
Pro and LANDesk are registered trademarks and MMX is a trademark of Intel Corporation. APC, 
the APC logo, Smart-UPS, PowerChute and Protect ME! Logo are registered trademarks and 










A complete family of 
corporate computer systems. 


Gateway 2000 has a system that will meet your corporate computing 
needs and your budget. 

Our exciting new server range, featuring the 2x2 workgroup server 
right up to the 6x6 enterprise server, will provide you with the ideal 
platform from which to build your network. 

Couple this with our award winning notebooks, E-1000 network 
PCs, our network-ready E-3000 desktop and tower PCs and you’ll have a 
family that will really work together. 

All of our corporate products are based on Intel’s range of processors 
including the NS-8000-2233 server featuring Intel’s 233MHz Pentium® II 
processor. Our systems are engineered to provide the highest levels of 
reliability, scalability and manageability. Add this to our build to order 
philosophy and you can be assured of a solution that will precisely 
fit your needs. 

Call one of our Account Managers today to find out which 
one of our family will best suit your business. 


Gateway E-Series PCs 
E-1000 from $1,699 incl. tax 
E-3000 from $1,999 incl. tax 
E-3100 from $3,399 incl. tax 
Gateway NS-Series 
NS-7000 from $5,999 incl. tax 
NS-8000 from $6,899 incl. tax 
NS-9000 from $23,999 incl. tax 


im 

“You’ve got a friend in the business. ”® 

1800 500 917 


http://www.gw2k.com.au 












NT Workstations set to explode 


There is one thing that I learnt while running one of 

Australia’s largest public relations groups and that is that 
when you put out a press release claiming that a product 
is the best or the fastest, that you can substantiate it. 

Therefore, when the PR hungry Rob Harnett of 
Hewlett Packard put out a press claim that its new HP 
Kayak XWPC workstation was the fastest personal 
workstation for 3D graphics, I was skeptical. Why? 
Because only two weeks previously I’d seen in the USA 
a new Digital Alpha workstation running dual 600MHz 
processors under Windows NT, 
as well as an Intergraph 
ExtremeZ graphic workstation 
running Windows NT and util¬ 
ising 300MHz chips with a 
RealiZm 112X13 graphics 
card. These workstations were 
very fast. For example, up 
against a Power Computing 
Power Tower Pro and Apple’s 
dual processor 9500, the 
Intergraph ExtremeZ system took one second to resize 
an image to 12.4 MB, while the fastest Power 
Computing workstation took 29 seconds and the Apple 
9500 multi processor, 36 seconds. When I applied a 
PhotoShop gaussian blur, a complex editing process, to a 
48MB image it took eight seconds on the ExtremeZ 
workstation, 116 seconds on the Apple multi-processor 
and 102 seconds on the Power Tower Pro. Later in the 
day at the San Franscisco Seybold show, which is the pre¬ 
mier conference for publishing, I visited the Hewlett 
Packard stand and tried the same exercise with the new 
HP Kayak XW PC with the Accel Eclipse 3D graphics 
board. It turned out to be much slower, despite all sys¬ 
tems running with 128MB of RAM. 

Right now the market is exploding. A plethora of 
new Windows NT workstations are available from such 
companies as Compaq, IBM, Digital, Hewlett Packard 
and Intergraph, and all of them are delivering blistering¬ 
ly fast workstations utilising Windows NT 4.0. However, 
in the next few months we’re set to see even faster sys¬ 
tems with the introduction of Windows NT 5.0 and 
from Intel, a new line of AGB video controllers which 
crack along at 132 MHz and hang off the new Pentium 



II processor. This will deliver a dramatically faster bus 
speed and will have a dramatic impact on manufacturers 
of 35MHz PCI based cards such as those incorporated 
into the Hewlett Packard workstation. 

I’m confident that 1998 will see Windows NT capture 
a major share of the workstation market. Organisations 
like SGI who have traditionally held a major share of the 
graphics workstation market are now facing significant 
pressure, with Silicon Graphics reporting a downturn of 
nearly $200 million in revenue last month and a fourth 
quarter loss. 

Leslie Fiering of the Gartner 
Group, who was in Australia 
recently, agrees. According to 
her, the “losers will be Sun, 
SGI, and Apple. The winners 
will be those delivering 
Windows NT workstations 
utilising multiple processors 
and a new generation of on¬ 
board graphic chips linked 

directly to the processor”. 

Recently Quark announced a relationship with 
Digital on the Alpha platform, while Microsoft and other 
companies demonstrated the Avid range running on a 
Windows NT workstation alongside an SGI and Sparc 
workstation. Cost of ownership was considerably cheap¬ 
er under Windows NT. 

In a recent issue of our sister publication Publishing 
Essentials, we showed the publishing market how to port 
all of their Mac OS base files to Windows NT and with¬ 
in the next few weeks we’ll be producing an entire mag¬ 
azine on a Windows NT workstation, running Quark 4.0 
and Windows NT 5.0. We’re confident from early tests 
that we’ll have no problems not only bringing across the 
vast array of fonts we have invested in a Mac OS platform 
but hundreds of images as well as Quark, PageMaker and 
PhotoShop files. 

Right now, many organisations are contemplating the 
move to Windows NT workstations and what is being 
delivered is a choice of single or dual processor 300 MHz 
Pentium II chips. The decision one has to make is what is 
the cost of ownership of a Windows NT workstation ver¬ 
sus an SGI, Sun Sparc or an Apple Macintosh workstation. 










Get Serious 




PC development is a nightmare - and you accept 
this. You put up with incompatible software upgrades 
and the sheer complexity of application development. 
PC systems are unreliable, require huge maintenance 
and data gets lost. Projects run over time, over budget 
and some simply fail. We don’t accept these low 
standards on a mainframe platform - so why do we 
tolerate them in a PC environment? Get serious... this 
is unacceptable. 

For all the advancements in PC hardware, 
the software available to date has really let business 
down. It’s not scalable and is not up to the demands 
of the multi-user, robust, transaction-based 
environment of serious business computing. 

Would you trust your mission critical systems to 
PCs? %u would with JADE. 


JADE is a new generation software development 
product designed for building industrial strength 
business applications that will run on NT. 

With JADE you get the best of both worlds - 
mainframe integrity, reliability and control, 
alongside PC flexibility, functionality and economy. 

With JADE you can get serious about using low 
cost PCs to deliver your business information right 
across your organisation. Get serious about truly 
maximising all that NT offers. Get serious about 
lowering the cost of your IT to deliver real returns 
on your investments. 

And get serious about preparing your business to 
meet the IT demands of tomorrow’s world. 

JADE, for serious computing on PCs. 



JADE 

Serious Computing on PCs 


For more information, join the JADE Discovery Programme. 
Visit www.jade.co.nz or phone the International JADE Sales Centre 
on 1 800 2438 5233 


HP NetServers 
are regularly 
voted No.l. 
(You can rely on it.) 


— 



The performance of your NetServers is critical. So why take a chance? The experts at leading industry 
publications consistently vote for the HP range. These independent and rigorous evaluations look at factors 
like fault tolerance, scalability, flexibility and work load tests. This translates to maximum network uptime 
and superior data protection. Your HP reseller can tell you more about our range of NetServers. We’ll be 
happy to leave the last word on reliability to the experts. | Be sure it’s reliable. 

K>rraonp information SKyour nearest HP mieIHror phone IS 13 47. Or, to receive afoot sheet on the HP NetSener range, phone our HP FIRST fa., service on (03) 9272 2627 and request 



“Best Product of the Year” 
PC Magazine (1997) 
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Never sayneveL. 



At a press conference several months ago Jocelyn 

Attal IBM’s vice-president for NT marketing, claime 
that IBM was only interested inWindows NT for the 
middleware market and that it didn’t believe NT 
belonged in the mission-critical enterprise arena. Alter all, 

' what IBM’s AS/400 and RS6000 servers were tar- 
[ at.Yet now IBM has just released its Intel- 
based servers which are, you guessed 
it, targeted at the enterprise. And it 
should come as no surprise that 
Windows NT will be one of the 
major operating systems to run on it. 
“There’s enterprises and there are 
enterprises,” stated Andrew J Baker, gen¬ 
eral manager for servers at IBM Australia, 
when asked about this shift in focus. 
Claiming that the NetFinity server is target¬ 
ed at companies with less than a thousand 
1 employees, while the AS/400 and RS/6000 
were for larger companies, he nonetheless 
admitted that “there’s going to be an over¬ 
lap between the servers supplied”. 

Which takes us into that age-old debate yet again 
-just how suited is Windows NT for the enter¬ 
prise? According to the companies that 
actually specialise in mission-critical 
enterprise computing, it’s very much so. 

I One of the key players in this game 
is NCR, who in fact had the first ever 
NT system back when Bill Gates first 
announced the OS. As reported in our 
f September issue, NCR should be releasing its 
new enterprise server that uses 8 Pentium Pro 
200MHz processors this month, which squarely places it 
in Unix’s realm. While this level of scalability is admitted¬ 
ly only possible due to NCR’s own technology that.splits 
,hc P6 bos into two, the fact is that it is possib e - and with 
Windows NT 5.0 doe next year, NT scalabthty wsll soon 
be taken for granted. 

Of course, there are other companies apart from NCR 
who have staked their reputation on enterprise systems 
and are now adopting the NT platform. Tandem, for 



example, is a company that’s purely interested in the high- 
end market and it not only moved into the NT space but 
was even bought by Compaq for its NT enterprise exper¬ 
tise Then there’s Amdahl, whose EnVista server is 
reviewed in this month’s Lab Reports section and was 
shown to be fast and reliable. So why do a lot of people 
still maintain that Windows NT is not suited for enter¬ 
prise applications? 

Well, the most common complaint - which also usu¬ 
ally comes from the Unix camp - is that Windows NT 
hasn’t been around for long enough and that it changes 
too rapidly. The people at SCO Unix, maintain that its 
systems can still run on 386s, whilst to run Windows NT 
you need at least a Pentium system.Their point is that any 
system which regularly requires updates and service packs 
can’t be stable enough to operate a mission-critical envi¬ 
ronment. , . , 

To a certain extent they have a point, but whether its 
a problem that exists only with Windows NT is arguable 
- after all it’s Unix and mainframe systems that have to be 
updated the most with the year 2000 problem. Whether 
it’s avoidable or not from Microsoft’s perspective is also 
arguable, however, as many claim that Windows NT 4.0 
was more unstable than 3.51, at least until the service 
packs arrived. 

But the key thing to remember is that the Internets 
arrival also added a whole new dimension to computing 
which in terms of security and infrastructure, was obvi¬ 
ously going to change the status quo. It’s easy for people 
to say that their Unix or AS/400 server never crashed or 
was hacked into, but then how many of those servers were 
hooked up to the Internet and treated as network back¬ 
bones? Or subject to the far greater number of hackers 
out there today than there was ten years ago? 

The other point is that the myth of Unix never falling 

down is j»» to - a «**->«“ Uto 

ever had in an MIS department where the SCO Unix 
server literally crashed once a week. While this was obvi¬ 
ously due to the server not being properly set up m ac , 
it was stuck in a hot little room with no air-conditioning 
- it illustrates the point that, however stable the platform 
may be it’s only as reliable as the person who set it up. 
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Will Intel buy Digital’s 
Alpha technology? 

Reports have come in that Digital may cross 
license its Alpha technology to Intel, following 
Digital's lawsuit against Intel for stealing the 64- 
bit technology. If the deal were to take place, it 
would be valued at SUS1.5 billion. 

However, Intel Australia is hesitant to deny or 
confirm the reports. "It is rumour only," states 
Kate Burleigh, PR manager for Intel Australia. 
"It could be well founded, but we would only be 
speculating." 

Digital says it was not trying to sell the Alpha to 
Intel, as initial reports indicated, but was 
instead seeking a licensing agreement for Intel 
to take over manufacturing in an effort to settle 
the patent infringement suit that Digital brought 
against Intel. Digital has been seeking a manu¬ 
facturing partner for the Alpha for a couple of 
years. The firm wants to relieve the financial 
burden of owning and operating the US semi¬ 
conductor plant that produces Alpha chips. 

The question is, why would Intel need the 
Digital Alpha technology when it has plans to 
release its 64-bit Merced processor in 1999? 
Especially if, as Digital claims, Intel stole 
the Alpha technology to use in the Merced 
anyway? 

Talking about Alpha, Digital has announced that 
it will release two new AlphaServers, namely 
the 8200 and the 8400. The 8400 system offers 
up to fourteen CPUs and up to 28 GB of memo¬ 
ry, while the 8200 has up to 6 CPUs and 12 GB of 
memory. The CPUs are available with speeds of 
300MHz, 350MHz, 440MHz and 625MHz. Pricing 
and specific release dates were not available 
at the time of writing. 

For more information. Digital can be contacted 
on 132393, or by Web site at http://www.digi- 
tal.com.au 




Unix voted out of Victorian Electoral CommissioiT) 

W hen the year 1999 comes around, the Victorian Electoral Commission will be 
using Windows NT 5.0 for its Electoral Management System (EMS 2000) rather 
than its existing Unix-based solution. 

According to Nigel Page, senior consultant with Microsoft Consulting Services, this is 
"yet another demonstration of the fact that Microsoft Windows NT is supplanting Unix 
as the ideal mission-critical platform in clustered environments". 

The new system, designed to process and store candidate nominations and results 
for the year 1999-2000 state and municipal elections, will also publish poll counts on the 
Web through Microsoft's Internet Server. Running on both clustered and independant 
servers, the EMS 2000 system will also use Transaction Server, Queue Server, Exchange 
Server and SQL Server. 

Currently the Victorian Electoral Commission runs Unix as the main processing 
system at headquarters, while having offices distributed around the state that use 
Microsoft Access to store electoral data. According to Debra Byrne, VEC elections IT 
project manager, the ejection of Unix in favour of Windows NT will mean a better inte¬ 
gration with the state offices. "It will introduce a centralised database," she said. 

Byrne also stated that she believes Windows NT will provide high availability 
and integration with other platforms. "Our objective was to use the same products 
on the desktop as in the EMS 2000 to minimise training and to achieve the highest 
possible level of integration between desktop products and mission critical applica¬ 
tions," she stated. 

EMS 2000 is partly being designed, developed and implemented by Microsoft 
Consulting Services (MCS). 
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Microsoft builds software DNA and revamps COM 


NT version of NDS released 


M icrosoft has announced a new software architecture for building software that 
interacts with the Internet. Called the Windows Distributed interNet Applications 
Architecture (Windows DNA), it's designed to provide a unified architecture and 
system services to integrate Web and client/server models of application development. 
The purpose of this is to provide a ready¬ 
made foundation so that developers don't 
have to concentrate on what Microsoft 
terms the "plumbing". While it's designed 
to be implemented into Windows NT 5.0, 
it will also be available in a modified form 
for Windows NT 4 through the use of an 
Option Pack that's due later this year. 

"Applications to be written during the 
next two to three years will be based on 
this framework," claimed Steven 
Guggenheimer, a visiting US senior 
project manager. 

More specifically, DNA will be 
composed of three types of services. 

These will deal with the user interface, 
business processes such as transaction 
processing and message queuing, as well 
as integrated storage services such as file 
systems and databases. The technology 
that will bind them altogether will be COM (Component Object Model), or more specifi¬ 
cally, a new version of COM called COM +. This will be available for developers in a pre¬ 
release version by the end of this year. 

COM+ will extend the COM architecture and incorporate additional architecture to 
provide a tool that can use components in any language. New services have been 
provided in response to developer feedback, including data-binding features, that allow 
binding between object fields and database fields. 

According to Harvey Sanchez, Microsoft's Internet platforms and tools marketing 
manager, a lot of developers are writing Internet and intranet aware applications. "There 
are extensions to COM+ that allow you to integrate internet capabilities." Whereas 
"CORBA don't have extensions to the Internet," he said. 

Rumours that Microsoft would drop support for COM by 1999 due to support for 
CORBA by Sun, Netscape and Novell, are being dispelled with enterprise software devel¬ 
opers SAP, Baan and PeopleSoft pledging support for COM in their products. Sanchez 
reiterated Microsoft's commitment to COM. "COM is not being phased out," he said. 

For further information contact Microsoft on 02 9870 2300 or by Web site at 
http://www.microsoft.com 



For fans of Novell's Network Directory Services 
(NDS), a Windows NT version should be arriving 
this month. "We want to extend NDS to other 
platforms other than IntranetWare,” stated Cliff 
Smith, Australian MD of Novell. 

NDS is designed to provide a single point of 
administration for NT and Novell users and 
resources. It can also provide a single log-in to 
all users regardless of location. According to 
Novell, it would make managing a mixed envi¬ 
ronment easier. A free trial version is currently 
available from Novell's Web site at 
http://www.novell.com/nds/nds4nt, while pric¬ 
ing ranges from $480 for 5 users. 

Another NT product that was announced is 
BorderManager, a package by Novell that man¬ 
ages data across the border of two networks, 
such as the Internet and a corporate LAN. The 
package includes a proxy server to boost 
speeds, as well as CyberPatrol for filtering data 
across the firewall. However, while Novell 
claims the package works with Windows NT 
systems as well as IntranetWare ones, a sepa¬ 
rate IntranetWare server has to be set up and 
connected to an NT network for it to work. A full 
Windows NT version of BorderManager is due 
mid next year. 


For more information, Novell can be contacted 
on 02 9925 3000, or by Web site at 
http://wwwoz.novell.com.au 
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Microsoft to embed 128-bit 
encryption in future products 

Microsoft has released a 128-bit encryption 
technology designed for online banking and, 
according to Terry Clancy, Microsoft Australia's 
BackOffice marketing manager, it will be incor¬ 
porated into future Microsoft products that 
work with the Internet. 

The solution, called Server Gated Crypto (SGC), 
enables sessions between banks and cus¬ 
tomers to be protected by encryption without 
key-escrow, provided the banks obtain a digital 
certificate. In Australia, Bankers Trust Ltd has 
decided to use it while several overseas banks 
have also adopted it. 

The key feature of SGC is the fact that it can 
offer 128-bit encryption internationally, as the 
US Government had given Microsoft permis¬ 
sion to export it earlier this year. Previously any 
exportable American encryption product was 
limited to 64-bits. 

SGC is available for download at 
http://www.microsoft.com/industry/finserv. For 
more information, Microsoft can also be con¬ 
tacted on 02 9870 2300. 

Server system software for 
Windows NT integration 

Tektronix has released its WinDD 3.5 server 
system software that allows users to access 
applications from a central server regardless of 
location, operating system or client hardware. 
Features of the software include online 
access to Windows applications using Web 
plug-ins to embed HTML into Windows appli¬ 
cations. A desktop integration feature allows 
Unix access to Windows documents. Also pro¬ 
vided is support for ICA thin client multimedia 
capabilities. 

A process control feature allows CPU levels to 
be monitored and administered whilst an 
enhanced version of NIS software synchronis¬ 
es password and user log-in databases on Unix 
and Windows NT servers. 

By the time you read this WinDD 3.5 software 
will be available. Tektronics are offering two 
packages, the XPC355 a server license for five 
users, and the XP3515, a server license for 15 
concurrent users. Pricing is on application. For 
further information contact Tektronix on 02 9888 
0100 or by Web at Http://www.tek.com/ 
Network_Displays 
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New features to appear in NT 5.0 
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hile the first beta of NT Workstation 5.0 has just been shipped, new features that 
II only appear in the full version have just been announced. In addition to a 
w programming framework called Distributed interNet 
Architecture (DNA) and an updated version of COM, support for a 
new device standard called 120 will also be provided. 

Devices that use 120 will be able to intercept program requests 
before the CPU receives them, thus allowing the CPU t 
continue processing uninterrupted. According to Enzo Schiano, 
visiting US product manager for NT servers, such devices could 
be monitors, keyboards and any other peripheral. Schiant 
expects compatible devices to be available at around the same 
time as NT 5.0's release. 

A new form of power management, called ACPI (Advanced 1 
Configuration and Power Interface), will also be included but, as 
mentioned in a past Scan article, it won't be compatible with 
existing plug and play devices. Working with another new feature called OnNow, it will 
allow power to be shut off from a PC until a certain time before allowing it to "wake" up. 
At a recent conference, Microsoft gave an example of how this might work by saying that 
a user could set a PC to wake up at midnight, log onto the Internet and download a file. 

Last but not least, NT 5.0 will be the first version of the operating system that will only 
be available in one version, regardless of country it is used in. Currently there are different 
language versions of NT, which makes it harder for developers to create applications that 
work consistently around the world. 



Australian company launches thin client 

S tone Microsystems has released a new "ultra-thin" client solution that enables up to 
32 users to connect to one PC. CenterNET-ll is an adaptor-based, multiple user system, 
which is designed for installation into one central PC host. It uses Stone's PCI bus tech¬ 
nology as opposed to ISA and has an enabled graphics chipset to take the load off the CPU. 

Each card consists of a master board and an 
optional board supporting two channels each. 

The junction box is "semi-intelligent" with the 
ability for multiplexing serial data without being 
a CPU. Each card can support up to four users, 
and up to eight cards can be installed in one 
system. Facilities for multimedia and USB will 
be incorporated into the system next year. 

"The challenge is to find a system with 8 slots," said John Thwaite, marketing exec¬ 
utive for Stone. "Although it will become common in the future." Fie also said that whilst 
32 users in some applications may not be appropriate, general office tasks put little load 
on the CPU. 

The CenterNET-ll card is aimed at the small to medium enterprise market and is 
compatible with Windows NT "Hydra". The system will be launched this month at 
Comdex in the US and is expected to ship in volume during January next year. The four- 
user system package price is expected to be $2850. For further information contact Stone 
Microsystems on 02 9417 3788. 
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Microsoft Exchange Server 


outconfigures, 
outadministers, 
outscales, 
outfeatures, 
outmails 

and generally 

outinternets 

a " °' h ° r messaging and 
collaboration systems. 



(Outrageous? Not according to the experts.) 


In comparative reviews by Network World and 
Network Computing, Microsoft® Exchange Server 
prevailed over Lotus cc:Mail, Lotus Notes/Domino, 
and Novell GroupWise as the Internet messaging 
champ. Microsoft Exchange Server garnered an 
overall score of 8.7 on a scale of 1 to 10 in Network 
World’s review. And Network Computing dubbed 


Microsoft Exchange Server its “Editor’s Choice.” 
Further proof that Microsoft Exchange Server is 
the best messaging and collaboration system 
available today—the recent Burke Marketing 
Research study. It concluded that 70% of IT 
Administrators prefer Microsoft Exchange Server 
over Lotus Domino and Netscape Mail Server. 


Test it yourself: Try Microsoft Exchange Server 5.0 free for 120 days. 
www.microsoft.com/exchange/promo/eval/ 
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Gateway launches into 
the server market 


Gateway has kicked off its NS Series of 
servers, marking its debut into the server mar¬ 
ket. Comprised of the NS 7000, NS 8000 and NS 
9000, the three servers are targeted at the 
workgroup, department and enterprise 
respectively. 

Following Gateway's acquisition of Advanced 
Logic Research (ALR), all the servers will use 
ALR's InforManager and ActiveCPR manage¬ 
ment software and provide RAID support and 
error correcting memory (ECC) systems. 

Both the NS 7000 and NS 8000 are scalable up 
to two Pentium II or Pentium Pro processors, 
and expandable up to 512MB of EDO (Extended 
Data Ouput) RAM. The main difference is that 
the NS 8000 has hot-swappable RAID support 
for up to 12 SCA drives, dual 365 watt N+1 
power supplies with loadshare capabilities and 
multiple cooling fans, while the NS 7000 can 
only have three Quick Hot-Swap (QHS) drives. 
The NS 7000 is priced from $5,999, while the NS 
8000 is priced from $6899. 

The NS 9000 is the high-end server, which 
Gateway claims is also ideal as an unattended 
Web server. It can use up to six Pentium Pro 
processors, four redundant/hot pluggable 
power supply systems and 12 optional QHS 
drive bays. It also has a LCD touch control 
panel and lockable bay doors. It's priced from 
$23,999. 

For more information, Gateway can be con¬ 
tacted on 1800 500 816, or by Web site at 
http://gw2k.com.au 



lb” 


c 


Browser war heats up 


J> 


I n the same week that Microsoft announced the full release of Internet Explorer 4, 
Netscape announced its "Aurora" browser technology which will be implemented in 
future browsers - with one being completely Java based. 

While many believe that the browser war is ending, a belief partly fuelled by 
Microsoft's recent claim of having 45% of the Australian browser market, Netscape 


disagrees. "The latest figures we've seen show that v 

ve're near 70%," said David Shaw, 
Netscape Australia's product 
marketing manager. 

At the announcement of IE 
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4's full release, Microsoft 

demonstrated how IE 4 will act 


o ''"I, 

as an integral part of the oper¬ 

;|§ir 


ating system, converting 



existing windows such as the 

4 

in 

Control Panel to become 

Dynamic HTML pages. This will 
allow it to also be a part of 
Windows' desktop Explorer. 

. 
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However, Aurora promises to offer similar functionality as far as the desktop is 
concerned. "In its own way it will provide a unified view of the desktop, but we won't 
bind it into the OS," said Shaw. He explained that, binding a browser into the operating 
system could lead to difficulties with the constant upgrades and standards that 
browsers now face. 

What will allow Aurora to act more like a desktop interface is its use of the RDF 
(Resource Description Framework) standard. Designed to be cross-platform, RDF uses 
XML (extensible Mark-up Language) to provide a standard way to represent "metadata". 
What this basically means is that Aurora will be able to see information regardless of its 
location, whether it be on Internet, LAN, a legacy database or the desktop. 

Also on the cards for release early next year is a Java-only version of Navigator, 
which will use Aurora technology. A key market for this will be thin clients, although 
Netscape believes it could easily become a mainstream product. 
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It may partition, but is it magic? 


J 


D o you find that you're running out of disk space? Well according to PowerQuest the 
problem could be due to a poorly partitioned drive, in which case PartitionMagic 3 
may be able to help. 

PartitionMagic is designed to resize partitions in order to 
maximise disk space and will work with Windows 95, 

Windows NT and OS/2. It can also install a new hard 
drive and transfer files from an old drive to it. 

New features include a boot manager to choose 
which OS is loaded from boot up, a ClusterAnalyser, 

DriveMapper and partition copier. 

PartitionMagic 3.0 is priced at $129. For more infor¬ 
mation, contact the distributor Matrix Marketing on 
02 9439 4499. 
































Local developer signs e-commerce deal with Lotus 


L ocal developer Market Data Systems has 
signed a worldwide deal with Lotus allowing 
for its electronic data interchange (EDI) 
product to be bundled with Domino.Merchant. 

The reason for ecCENTRIC EDI's inclusion is to 
provide organisations with access to the Internet 
without additional layers of software. ecCENTRIC 
EDI provides management of electronic commerce 
from the desktop by connecting to users existing 
networks and applications. 

Market Data Systems has been business 
partners with Lotus since 1992 and since then it has 
"kept on chipping away at a deal". According to 
Gary Marshall (pictured) managing director of 
MDS; "The key opportunity was at a Web devel¬ 
opers conference last year when we heard about Domino.Merchant." When Lotus 
surveyed businesses on what they wanted included in the software, top of the wish 
list was EDI integration, Marshall said. 

"We are unique, there is nothing else like this in the world. There are no other 
EDI's for Domino," he said. ecCENTRIC features the ability to couple electronic forms 
that can be translated into EDI and transported anywhere. Trading management 
provides access to information determining issues of which companies are involved 
in trading. This incorporates profile techniques and message registration to maintain 
security of information. An audit trail is maintained with source documents never 
being deleted. The inclusion of hypertext links to the output source allows the EDI 
system to trace any errors if they occur and to "pinpoint the problem". Most docu¬ 
ments and file formats can be translated between X.12, EDIFACT, Lotus Notes and any 
user-defined formats. Messaging is distributed through e-mail, copying to a Notes 
database, using designated drop zones or fax routing. 

ecCENTRIC EDI will be available with Domino.Merchant at the end of 1997. 
Available in two configurations, the Desktop edition will be priced at $895 and the 
Server edition, providing management from a Domino server is available for $1595. 

For further information contact Lotus on 02 9350 7700 or by Web site at 
http://www.lotus.com, or contact Market Data Systems on 03 9602 4655 or 
http://www/m dsg roup.com 



New version of Domino available 

Lotus has just released version 4.6 of its Domino 
and Notes messaging and groupware software. 
New features include support for IMAP4 and 
LDAP, discussion forums (NNTP) and Web 
access (HTTP 1.1 and HTML 3.2). Furthermore, 
the Notes clients will feature a new interface 
called Portfolios, which will provide task- 
orientated navigation and seamless Web 
access. The clients will also support ActiveDoc. 
On the server side there will be two products 
to choose from, namely Domino 4.6 Server and 
Domino Mail 4.6 Server. Not surprisingly, 
the Mail Server will not provide groupware 
support. 

Also announced is Lotus Notes Designer for 
Domino, which is designed to replace the full 
Notes client. Instead, Designer provides a 
broad set of visual development tools to cre¬ 
ate applications. Tools and languages that 
can be used include Java, HTML Visual basic, 
C, C++ as well as LotusScript and @formulas. 
Pricing for Domino mail Server 4.6 starts at 



$1338, while Domino 4.6 Server starts at $2027. 
Estimated retail prices for volume purchases 
are $84 for Notes Mail, $105 for Notes Desktop 
and $638 for Notes Designer for Domino. 

Lotus can be contacted on 02 9350 7700, or by 
Web at http://www.lotus.com/notes 
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Project planning the Microsoft way 


After a wait of two years Microsoft has finally 
announced the next major upgrade of its project 
management package, called Project 98, which 
is due for release in November. 

New features include resource contouring, task 
splitting, effort-driven scheduling and two new 
Usage views, as well as a cost tracking system, 
which means that Excel isn't needed like it was 
in the last version. 

Also included is a personal Web server facility 
that allows project managers to set up a mini 
intranet of sorts that can provide basic email 
functions. 

As with its previous incarnation. Project 98 
largely relies on Gant and Pert charts. 

Priced at $799 for the full version, and $299 for 
an upgrade, trial versions can be downloaded at 
http://www.microsoft.com/projec1/98trial. 

For more information, Microsoft can be contact¬ 
ed on 02 9870 2200 




IBM ships DB2 




I BM has released its new DB2 Universal Database, which will begin shipping this 
month. According to the company it is the first fully scalable, multimedia, Web- 
enabled database. 

Amongst its features are database integration and multi-platform connectivity. 
Performance monitoring and tuning, administration tools, Web connectivity, object rela¬ 
tional support, bi-directional data replication and advanced database systems 
management are also included in the database. 

E-commerce support is through Java Database Connectivity, allowing Web pages and 
Java applications to access DB2 to share real-time data. This means users can build a 
single database for Web publishing and commercial applications. 

A toolkit has also been announced for applications developed and hosted specifically 
on Oracle. Applications and server code/data can be converted and ported to DB2 using 
the SQL Conversion Workbench, which allows the applications to be run in a native form. 

Pricing for the DB2 Universal database starts at $1823 per server and $363 per user. A 
single user desktop is available at $673. For further information contact IBM on 13 24 26 
or by Web site at http://www.ibm.com 
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Compaq opens local manufacturing plant 





I n an attempt to compete against direct sellers Dell and Gateway, 
Compaq has opened its first build-to-order manufacturing plant for 
the Asia Pacific region. 

The $15 million plant, which is located in Sydney, will initially only 
produce business desktop systems, although consumer systems are 
expected to roll out early next year while server production may be on 
the cards in mid 1998. 

"The days when we can provide off-the-shelf configurations is 
almost past," said Ray Muffett, Compaq's director of manufacturing 
operations. 

The plant is the first phase in what Compaq calls its Optimised 
Distribution Model (ODM), a business model which it claims will satisfy 
a marketplace that is starting to expect more individual service. 

According to Compaq, the effects of a local manufacturing plant will 
be significantly lower product costs and higher availability. 
















Sybiz Vision ... accounting 
for a better future. 


Sybiz Vision can grow with your business. It’s a 100% Australian 
developed and supported business package that lets your business run 
with true multi-user Windows™ accounting. It's software that's designed 
for your future. 

Easy to learn, Vision is also easy to use and to train staff on; Just 
as you would expect from Australia’s leader in PC accounting software 
for Windows.™ 

Vision offers a range of modules that will suit your business, 
including an Australian designed Payroll module. All offer fast processing & 
robust performance under Windows 95™ and Windows NT™. 


Vision already handles the year 2000 date changes, and it already 
features an integrated GST option - just in case! 

For an information kit and the name of your nearest Sybiz Solution 
Provider, contact Sybiz today. 


FAX: (02) 9954 5240 

Tel: NSW /ACT (02) 9954 5211 • VIC 1800 683 783 • QLD (07) 3299 1100 * SA/NT/TAS (08) 8232 0600 • WA (08) 9227 8977 






The fifteen-minute intranet 

You've heard of five-minute noodles, now hear 
of the fifteen-minute intranet. That's right, SCSI 
Corporation is now distributing the Microtest 
WebZerver, which SCSI claims can be built in 
fifteen minutes or less. 

WebZerver is designed to allow users to post 
information onto an intranet without the use of 
a network administrator. Instead, the intranet is 
set up like a printer so that the users can post 
documents in the same way as they would print 
information to any other output device. 



Other features that the WebZerver offers is a 
rated speed of up to 2.5MB per second, the abil¬ 
ity to handle up to 50 concurrent connections 
per minute with a 10/1000 fast Ethernet back¬ 
bone. It's priced at $2895. 

For more information, contact SCSI on 
02 9894 6033. 


Microsoft’s CE 2.0 brings colour into the PDA world 

J ust as you probably bought your PDA (Personal Digital Assistant) running CE 1.0, 
Microsoft has announced the second version, which most notably of all allows for 
32 bit colour displays. 

While developers and OEMs are yet to utilise it, CE 2.0 offers several improvements over 
its predecessor. Key amongst them is its support for real-time task scheduling; demand 
paging, which allows files to run even if 
they are larger than the amount of 
available RAM; support for TrueType 
fonts; a Windows Sockets API and 
service layer support for networking; as 
well as UNICODE support, which means 
that local applications can be used worldwide. It also supports the ARM, MIPS, PowerPC, 
StrongARM, SuperH and x86 platforms. 

However, it's also been rumoured that there'll be yet more included in CE 2.0 such as 
Java support, while Microsoft is working on three different platforms for 2.0, with one 
being for PDAs with no keyboard and another that can fit into a car radio. And you 
thought only James Bond could have gadgets. Furthermore, Microsoft's acquisition of 
WebTV technology may see CE being integrated into that as well. 

For existing 1.0 users, upgrade chips should be available from most PDA companies 
- such as Casio - soon after you read this, although they will still leave you in a mono¬ 
chrome world. New PDAs that will provide colour LCD displays are rumoured to be 
released later this year. 

However, the CE platform could face competition from no other than the NC, with 
IBM and Sun Microsystems having been reported as launching the specification for a 
mobile NC platform. Companies said to be interested in developing for it include NEC, 
Fujitsu, Toshiba, Hitachi, and Nokia. 

For further information, Microsoft can be contacted on 02 9870 2300 or by Web at 
http://www.microsoft.com.au 
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NovaTech 


nternet Secur 


• Security Auditing 


• Network Penetration Testing 


• Secure Network Design 


• Firewall Configuration 


• ISS Distributor 


• General Security Assistance 


• Security Policy Development 


NovaTech is Australia’s leading Internet and Network 
Security Consultation firm specialising in TCP/IP networks. 
They can remotely assess your network and advise on how 
to increase your security or help in 
implementing a security regime that 
will fulfil your requirements. 

NovaTech Internet Security 
PO Box 487, Ermington NSW 2115 
WWW - http:/www.novatech.net.au 
Secure Email - nova.adm@novatech.ent.au 
(POTP Secure mail only) 

Phone: +61 2 9638 5883 Fax: +61 2 9958 4447 
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02 9638 5883 Fax: 02 9967 4447 


1: novatech@novatech.net.au 





























Introducing the first database as universal as the Worldwide Web it serves. 



Is your database missing something? If it can’t handle multimedia 

as well as conventional data, you should be looking at the new DB2 8 Universal Database. If it 
can’t scale to serve a world of Web users, you could be missing some customers. And if it doesn’t 
run natively on platforms as diverse as Windows NT,™ Sun Solaris, AIX and OS/2,® you’re missing 
some major efficiencies. Not to worry. We’ve put absolutely everything you need to develop 
Java™-based Web apps into one package. And an eye-opening demonstration CD, including trial 
code, is absolutely free. Visit www.softwai e.ibtn.com/db2univ or call IBM Direct on 132 426 and 
ask for DB2NT/Info, and see what you’ve been missing. 


Solutions for a small planet™ = == === 


The IBM home page is located at www.ibm.com. IBM, DB2, OS/2, AIX and Solutions for a small planet are trademarks of International Business Machines Corporation in the United 
States and/or other countries. Microsoft and Windows NT are trademarks of Microsoft Corporation. Java is a trademark of Sun Microsystems, Inc. Other company, product and 
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Analytics promises to make 
corporate modelling easier. 

Designed to simplify model development and 
maintenance, Analytics is a multi-dimensional 
visual modelling tool. It retails for $995. 

One of its main features is the use of Intelligent 
Arrays, which enable users to add or retract 
dimensions such as time periods, product lines 
or geographic regions with minimal changes to 
the model structure. "Spreadsheet formulas 
embody relationships that are repeated for each 
combination of dimension values," said Shann 
Kellaway, MD of Techflow, Analytical local dis¬ 
tributor. "Analytics, on the other hand, sepa¬ 
rates the dimensions from the relationships so 
models remain simple, while automatically 
updating, reporting and graphing the model as 
dimensions change." 

Where traditional spreadsheets bury model 
concepts in a rigid row and column format. 
Analytics has a visual approach, using object 
oriented diagrams with bubbles and links to 
highlight key relationships between model vari¬ 
ables. Contact Techflow on 1800 500 650. 


Sun sues Microsoft 


I f you're considering Internet Explorer (IE) 4.0 and Java as a development platform 
for your Windows NT intranet, you'll be interested to learn that SunMicrosystems 
filed a lawsuit against Microsoft, claiming that Microsoft breached its agreement 
with Sun in regard to Java implementation. Sun says it will cut Microsoft off from any 
new Java technology until the suit is settled. Analysts say the suit could cause a loss of 
credibility for IE 4.0 and a loss of functionality down the road if Microsoft can't 
implement new Java features as they appear. Sun says that no matter what happens, 
Windows users will have complete Java access through Sun's Java Runtime 
Environment for Windows. 

Microsoft's response to the suit is that Sun's claims have no merit. The response, 
posted on Microsoft's Web site, states that Microsoft believes it is in compliance with all 
aspects of the agreement. Bill Gates told a panel of journalists in Switzerland that 
someone should conduct a compliance test. Gates also said Microsoft does a better job 
of passing those compliance tests than anybody else, including Sun. 

Sun's marketing director says Sun wants this issue to be tried in the court of public 
opinion; therefore. Sun is recommending that people tell Microsoft to ensure Java 
compatibility. Sun suggests that people vote with their pocketbooks by buying 
Netscape's Navigator instead of IE4.0. But analysts say that consumers should wait for 
compliance test results and then make a decision about how well Microsoft has imple¬ 
mented the Java specs. 



• Full of simulations. 

• All topics are explained graphically. 

• Review questions at the end of each chapter. 

• Learn and practice at your own pace. 


DON’T put your career on hold any longer! 


The WOrldS most advanced 
computer based training course 


LanTec’s MCSE “The Complete Instructor in a Box” CBT program is the 
only complete MCSE CBT available on the market. This unique CBT 
program has all the modules you need to pass your MCSE exams. 

You will not need any other study materials if you buy this program 
because the entire MCSE course requirements are covered. 

For more information on this exciting new software... 


Free Call 1800 658 786 
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INTEL ETHEREXPRESS 
PR0/10D ADAPTER FAMILY 

Award-winning 10/1 OOMbps adapters, 
including the new EtherExpress™ 
PRO/100+ PCI adapter with Adaptive 
Technology and a new family of 
10/100Mbps cards for mobile PCs. 

INTEL NETPORTEXPRESS 
PR0/100 PRINT SERVERS 

Fast Ethernet 10/1 OOMbps printing, now 
with Web-based remote management and 
even faster throughput. 

. 

INTEL EXPRESS 10/100 STACKABLE HUBS 

The 10/100Mbps hub for a flexible 
transition to Fast Ethernet. 


INTEL EXPRESS SWITCHES 

A complete switching 
solution from the desktop 
throughout the campus. 



INTEL EXPRESS ROUTERS 

WAN connectivity made simple. 


Choose Intel’s 10/100Mbps solutions and you can relax under the 


Our latest EtherExpress™ PRO/100+ PCI adapters are offered at 


shower a little longer each morning. Taking the time to contemplate prices comparable to other 10Mbps adapters yet they offer a significant 


managing your network, instead of rushing out to fix it. 


gain in both 10Mbps & 100Mbps performance. And Intel’s latest 


Because with Intel’s complete 10/100Mbps range of Fast Ethernet 
products you can have the bandwidth your network needs, right now. 
And, there’s no hassles figuring out an affordable, manageable 
upgrade path - Intel’s 10/100 solution has already done it for you. 

All our Fast Ethernet hubs, switches, print servers and adapters 


single chip design and Adaptive Technology boost throughput. 

So if you’re worrying about how you’re going to find the 
bandwidth for the latest data intensive applications and how you’re 
going to afford the inevitable migration to a 100Mbps network. 

Just relax. Details of Intel’s 


will slot into an existing 10Mbps environment. 

Everything runs at either 10 or 100Mbps as and when required. 
So you can upgrade your network workgroup by workgroup without 
having to discard your existing 10Mbps investment. 


entire 10/100Mbps Fast Ethernet 
solution are available by faxing 
1800 685 568 or visiting our 
web site. 



www. intel .com/apac/eng/network/au/fe 








How to save 
up to 33 %* 
on your 
printing 
bills 
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Black Widow set to strike business intelligence market 

T he new version of Seagate Software's 
Crystal product, code-named Black Widow, 
is currently in beta release. The software 
incorporates technology from both Seagate's 
Holos and Crystal business intelligence products 
and is designed to bridge the space between 
these products by providing a network reporting 
and analysis system. 

Scheduled for release by the end of 1997, Black Widow will allow users to access, 
view, schedule and analyse relational and OLAP reports from the desktop or via a Web 
browser. The system offloads queries to the back end of the data warehouse whilst an 
integrated desktop allows users to view which requests have already been made, 
reducing the number of hits required to the server. Black Widow utilises thin client archi¬ 
tecture to transfer data in small packets, therefore reducing response times. 

Features of Black Widow include the ability to build a report off a multi-dimensional 
database. Java applets allow information to be viewed from the Web and allow user 
access to schedule report run times. Navigation is facilitated using Web technology and 
HTML caching. Seagate Crystal Report 6.0 is also included in the Black Widow release. 

Pricing for a basic Black Widow client license for five users starts at $2170, with addi¬ 
tional modules available. The Master Pack including the OLAP and report/query design 
modules starts at $5440 for five users. 

For further information contact Seagate Software on 02 9955 4088 or by Web site at 
http://www.seagatesoftware.com 



(Informix launches database and bashes Microsoft 


I n the same week that saw Informix shares at an all-time low, Sybase has launched its 
Adaptive Server Enterprise 11.5 database for Windows NT. 

Designed for on-line transaction processing and decision support, the database is 
targeted, as its name would suggest, at enterprise systems. 

The major players in databases are currently Oracle, Sybase, Informix, IBM and 
Microsoft. Yet according to visiting CEO Mitchell Kertzman, Microsoft's SQL server is of 
no threat to the big database companies, claiming that it's "less scalable than Microsoft 
said it would be". However, he did believe Microsoft 
was a threat to independent companies. 

"I think the Microsoft monopoly is far more 
dangerous to customers than the Intel one", he 
claimed. 

In addition to the database. Adaptive Server 
Enterprise 11.5 also has four tools bundled in. These 
include PowerDynamo, for creating database-driven 
Web sites; SQL Modeller, a data modelling tool; 

InfoMaker 5.0, a reporting and analysis tool; and 
SQL Remote, a data-replication utility. 

Pricing starts from $5770 per server and $1150 
per user. For more information, contact Sybase, on 
02 9936 880, or by Web site at http://www.sybase.com 
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Remote Access 


with Windows NT 


\buneed an alternative 
to the “enterprise wide” 
remote access solution- 
one specifically designed for 

your small to medium size business. 



You need LantraServer. 


Why do you need an alternative to “enterprise wide” 
remote access solutions? Because larger solutions 
replace Windows NT"' RAS with complex, proprietary and 
often incompatible networking software. Extra effort, 
increased costs, and the need to purchase even more 
software is the result. Not to mention LAN administrative 
headaches as well. 

You won’t have those expenses with LantraServer. 
LantraServer maximizes the growing remote access capa¬ 
bilities already built into Windows NT. Which means you 
get all the benefits of Windows NT RAS extended to every¬ 
body on the network-local or remote. And you can still 
maintain full compatibility with all your Windows applica¬ 
tions. There’s nothing new to leant. Nothing new to pur¬ 
chase. If you’re already using Windows NT, you’ll have 
LantraServer up and running in less than 5 minutes. 
LantraServer fits into your Windows NT environment easi¬ 
ly, simply, and transparently. And you can maintain 
LantraServer so easily, you won’t even know it’s there. 

Get connected with the remote access solution built 



www.stallion.com 


for people-not networks. LantraServer. The easiest, 
most cost-effective remote access solution for Microsoft 
Windows NT environments available today. Call Stallion 
Technologies for more information. 

1-800-NT-RRAS (1-800-687-727)' 

Ask about our reseller incentive programs. 


express. 


stallion 

access everywhere 


Express Data ACT (06) 248-9600 NSW (02) 9598-9100 QLD (07) 3292-1333 SA (08) 8271-9677 VIC (03) 9278-7200 WA (08) 9322-5605 

www.expressdata.com.au sales@expressdata.com.au 



RealSecure 1.0 for Window NT 


Internet Security Systems 

Monitor your network and protect it 
from malicious attacks 


Attacks on networks connected to the Internet are ram¬ 
pant and getting worse. People are continually discovering 
new ways to break into or disable Windows NT. You are 
justified in protecting your network, but you need tools to 
do the job. One gem of a network protection tool is 
RealSecure 1.0 for Windows NT, from Internet Security 
Systems (ISS). 

You might think your network is protected adequate¬ 
ly, but how do you know for sure? Do you know when 
someone is trying to break in or attack a network service? 
Maybe you monitor the attack logs that your security sys¬ 
tems produce. Although monitoring system logs is a great 
practice, it doesn’t stop attacks; it simply informs you that 
an intrusion occurred. 

Not all security systems can recognise all forms of 
attacks. Frequently, you have to program a security system 
with information about an attack type before it can pre¬ 
vent or detect it. The security system you bought last year 
might not adequately handle this year’s attack methods. 
The solution is to keep your security systems up-to-date, 
a time-consuming but worthwhile effort. 

Between updates to your security systems, RealSecure, 
a realtime network attack recognition system, can help 
you monitor network security. RealSecure looks at net¬ 
work traffic at the packet level (much like a network snif¬ 
fer) and uses its built-in attack recognition logic and 
definable filtering rules to determine whether the packets 
are potentially malicious. (RealSecure can recognise more 
than 200 different system attacks.) Filter rules define the 
n attack. When 
record the date, 
:t of the event; record the event’s 
yffiack; notify administrators of the 



■ Screen 1: 

Displaying the filter logic of the Maximum Coverage 
template 



■ Screen 2: 

Viewing the engine's attack signatures 


attack; or terminate the attack by killing the affected net¬ 
work sessions. Powerful stuff, to say the least. 


www.winntmag.c 















































Inside RealSecure 


Let’s take a quick look at RealSecure’s components to see 
how they interact. RealSecure installs as an application 
console, a network service (which ISS calls an engine), and 
a custom packet driver that you load with your other 
network protocols. 

The RealSecure engine reads the packets as they arrive 
at the network interface from the packet driver. The engine 
compares the packets to established filtering rules. If the 
engine finds a packet that matches a rule, the engine’s attack 
recognition logic parses the packet information. If the logic 
detects an attack, the engine takes an appropriate action as 
defined in the filtering rules. The engine also sends all 
packets that match the filters to the console for logging, 
reporting, session playback, or review. 



■ Screen 3: 


Installation and Configuration 

Installing the software is quick and painless. You need to 
install the software on each segment that you want to 
monitor.You can load a packet driver and engine on an NT 
system residing on each remote segment and then load a 
single centralised console on an NT system that collects data 
from the other RealSecure engines. If your network is 
simple (i.e.,it uses only one network segment), you can load 
one copy of RealSecure on any NT box to monitor your 
entire LAN. Each console uses an authenticated and 
encrypted system-to-system session to talk with a remote 
engine. This process prevents any tampering with your 
RealSecure monitoring system’s network traffic. 

After you’ve installed RealSecure on each system, you 
fire each one up and configure it. Configuring RealSecure 
means defining which attacks or suspicious activity you’d 
like to watch out for (called filtering) and what to do about 
a particular event when RealSecure detects it. For example, 
if your network security policies disallow all inbound Telnet 
sessions and you’ve adjusted your firewall to prevent them, 
you could configure RealSecure to watch for inbound 
Telnet connections. If an intruder defeats your firewall and 
launches aTelnet session, RealSecure can detect the session, 
shut it down immediately, and record a detailed log of what 
occurred during the session. 

RealSecure can recognise hundreds of potential attack 
scenarios. Screen 1 shows some predefined filter logic of the 
Maximum Coverage template; Screen 2 shows some attack 
signatures used for detection in the attack recognition 
portion of the engine.You can use the built-in templates or 
define your own. 

After you configure the software, you assign your chosen 
filter profiles to each engine on your network. To assign 
filters to an engine, right-click an engine listed in the Engine 
window, choose Properties, select a filtering profile from the 
choices (as you see in Screen 3), and click Apply to Engine. 


Selecting a filtering profile 



■ Screen 4: 

Viewing RealSecure's console interface 


The engines start up using the specified filters and begin 
acting as your network watchdogs. You can manage all 
engines, local and remote, from one centralised console, 
which simplifies management in a distributed environment. 

RealSecure in Action 

RealSecure’s console is the central place where you review 
the captured suspicious network activity. As you see in 
Screen 4, the interface has five windows. In the left window, 
you can see a hierarchical view of the source address, the 
destination address, events, or actions taken on those events. 
This window’s NT Explorer-style tree view provides an easy 
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way to drill down to the capture information.The three top 
windows on the right (High Priority, Medium Priority, and 
Low Priority) display each type of captured event according 
to its definable priority level. The Engine window identifies 
the location of the engine and the template being used for 
monitoring. 

Screen 5, page 74, shows a maximised view of the 
Medium Priority event window. As you can see, Real- 
Secure has captured many events that I defined in the fil¬ 
ters as being of medium concern to me. These events are 
mainly HTTP_Get requests, the usual request a Web 
browser uses to retrieve a Web page. RealSecure captured 
the name of the engine reporting the event, the Web Get 
request, the user’s IP address (source address), the desti¬ 
nation address (my Web servers’ addresses), the URL used 
to retrieve the document or file, and the time and date. 
Ordinarily, you don’t want to monitor every user retriev¬ 
ing simple Web pages from your server, but I do because 
my Web site has encountered suspicious activity in the 
past. Tracking all access might help me catch an intruder 
red-handed. 

High-priority events are the most interesting. During 
my test, I launched many attacks (ping floods, SYN 
floods, IP spoofs, User Datagram Protocol bombs, and 
several other common intrusion attacks) on my systems 
to see how RealSecure would react (as shown in 
Screen 6). As I expected, RealSecure immediately 
detected my attacks, collected information about them 
for my review, and shut them down. 

Another nice feature of RealSecure is its ability to 
capture and replay entire network sessions. For example, 
you can define a filter to track and capture attempts to 
Telnet into your router or other systems. Later, you can 
replay the session to see what the intruder was doing.You 
can use these captured sessions as evidence against the 
would-be intruder if you prosecute. Really slick and 
greatly needed. 

The software is robust and easy to use, and it has plen¬ 
ty of useful features. A report generator produces format¬ 
ted reports. And the ISS support team does a fantastic job 
of answering your questions. 

The second major release of RealSecure will contain 
new functionality such as automatic attack logic updates 
over the Internet and the ability to push RealSecure out 
to remote servers without special software such as 
Microsoft’s Systems Management Server (SMS). Real- 
Secure runs on NT and on a variety of UNIX operating 
systems, and the program can detect attacks against any 
operating system using TCP/IP, not just NT. 

I want to point out that someone could misuse 
RealSecure’s power internally to launch attacks against 
your network. For instance, just as you can use 
RealSecure or some other software to prevent users from 



Displaying a Medium Security events window 



■ Screen 6: 
Viewing active attacks 


surfing to certain Web sites, disgruntled employees could 
use RealSecure to attack your network or wreak havoc 
on connecting networks. Treat the tool like any other 
sensitive information or equipment: limit access so that 
only trusted operators can get to the RealSecure con¬ 
soles. In the next version of RealSecure, ISS will add a 
feature that lets RealSecure detect other copies of 
RealSecure on the network; this feature will help control 
internal misuse of the software. 

I’m impressed with this new product, and I feel much 
more secure about my LAN environment now that I 
have it installed and running. RealSecure is a must-have 
package for any serious network environment, especially 
if you’re connected to untrusted networks such as the 
Internet. 

— Mark Joseph Edwards 


| list price~| $7999 for a single perpetual license 

I CONTACT: I ! Internet Security Systems distributed by 
Information Gateways 02 9975 6779 
Web: http://www.iss.net 
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OmniGuard/ESM 4.4 


AXENT Technologies 


Secure your network with 0mni6uard/ESM 

Axent Technologies’ OmniGuard/ESM (Enterprise 
Security Manager) 4.4 is a multi-platform security moni¬ 
toring system that includes support for Windows NT. 
OmniGuard/ESM is extremely useful in a single-server 
environment but is downright invaluable in a multiserver 
environment that includes NT Server, UNIX, OpenVMS, 
and Novell IntranetWare. 

OmniGuard/ESM lets a 
network manager verify that 
security policies are in place. 

For example, your corporate 
security policy may require 
that passwords are at least six 
characters long. Checking for 
this policy is simple for a sin¬ 
gle-server environment but 
tedious for larger networks. OmniGuard/ESM can easily 
perform this check in a multiserver environment. But this 
feature is just one of OminiGuard/ESM’s functions. 

You can configure OmniGuard/ESM so that security 
policymakers and security policy implementers are not 
the same people. This capability lets a security manager 
create a policy and see reports on the network’s status, but 
not change any of the security elements in NT (or any 
other operating systems). Network managers can see pol¬ 
icy reports but not change the security policy. However, 
they can change the security elements within NT. 

Usernames and passwords are one aspect of security 
that OmniGuard/ESM checks. The software can check 
password durability, which includes password length and 
matches with common words.You can also include a set of 
company-specific words so that users don’t have passwords 
that match project names. OmniGuard/ESM checks file 
attributes, directory attributes, system auditing settings, and 
even system startup files. Platform-specific checks, such as 
email checks for UNIX and NetWare, are also available. 

OmniGuard/ESM uses client/server architecture. A 
client, or agent, runs on a PC where security will be 
checked.The server is where OmniGuard/ESM maintains 
and manages the results of the security checks. 

Although using OmniGuard/ESM does not guarantee 
a secure network, it does let you identify potential securi¬ 
ty problems. The software recommends changes and pro¬ 
vides both text and graphical reports that are easy 
to understand. 

Installing OmniGuard/ESM was quick and simple. 
The program installed both the agent and the server and 


the CD-ROM contains software for agents and servers for 
each platform supported. 

Installing OmniGuard/ ESM on a second NT server 
and an IntranetWare server required agent installation 
only. The software uses TCP/IP as the transport between 
agents and server. You can also use IPX with Intranet¬ 
Ware environments. 

Installation for both the 
NT Server agent and server 
was identical. The Intranet¬ 
Ware agent installation was 
slightly different, because the 
agent is a NetWare loadable 
module (NLM). The 
IntranetWare agent required a 
registration step for the NT 
OmniGuard/ESM server to recognise it. Agents are always 
running, but they perform checks only on server requests. 

You can manage large, distributed networks by inter¬ 
facing multiple Managers to centralised Super Managers. 
I implemented a single Manager environment. Super 
Managers let you forward security information to a cen¬ 
tral location. 

OmniGuard/ESM lets you group agents into domains. 
The domains are often configured to match the NT do¬ 
mains, but this is not a strict requirement. Instead, the 
OmniGuard/ESM domains can match the security 
requirements. For example, high-security areas can map to 
one OmniGuard/ESM domain and low-security areas can 
map to another domain. 

Next, OmniGuard/ESM defines users. The software 
requires a single user account but most environments will 
have multiple user accounts with varying degrees of con¬ 
trol. For example, the security manager, who is usually the 
OmniGuard/ESM installer, can create policies and run 
and examine reports. Network managers can run and 
examine reports and must also have accounts that let them 
change security on appropriate PCs. 

After installation, it is a good idea to run an immediate 
security check involving all agents, as shown in Screen 1. 
This check tests the communications support and deter¬ 
mines the current security setup for the network. The 
time required for a security check depends on the num¬ 
ber and complexity of the agent PCs. Security checks 
operate in tandem on each agent, and the entire operation 
is complete in less than an hour. 

OmniGuard/ESM provides two interfaces to an 



■ Screen 7. Running a security check 
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OmniGuard/ESM server. One interface employs a com¬ 
mand line interface and the other interface uses a GUI. 
The OmniGuard/ESM documentation covers command 
line interface commands, and online Help is available for 
both interfaces. The command line interface is useful 
because its implementation spans server platforms. It can 
also be used to automate reporting through scripting. 

The 32-bit Windows OmniGuard/ESM management 
application is where most security managers and network 
managers will work. It provides access policies, policy 
checking schedules, and reporting. You can run the man¬ 
agement application from any Windows 95 or NT work¬ 
station, not just a PC that is running OmniGuard. 

The management application lets you create reports 
and save them for later comparisons with new results. As 
you run new reports, you can see improvements in secu¬ 
rity performance. 

Network managers usually have the responsibility of 
correcting problems. In most cases, OmniGuard/ESM can 
help fix problems after it identifies them if you click the 
Correct push-button in the Security Report dialogue 
box. Typically, OmniGuard/ESM presents a dialogue box 
with actions, such as changing a password or permission, 
to fix the problem.The software logs these corrections, and 


an undo function lets you reverse a correction. In some 
instances, OmniGuard/ESM can only recommend 
changes. Network managers must then use NT tools to 
make the necessary changes. 

OmniGuard/ESM proved to be an excellent tool that 
found a number of flaws in our multivendor (NT Server 
and Novell IntranetWare) environment. The overall oper¬ 
ation was very simple - even users who were not well- 
versed in its intricacies could use it. 

A few areas need polishing, however. For example, the 
policy report summary uses colour-coded names for status 
indicators, but it does not use these colours in the report. 
It does, however, use them for graphed results. 

OmniGuard/ESM works with other AXENT prod¬ 
ucts such as OmniGuard/ITA (Intruder Alert) and 
OmniGuard/EAC (Enterprise Access Control) forWin95. 

-William Wong 


AXENT Technologies is distributed by 
Global Business Solutions 02 9418 4455 
and Software Intelligence 03 9431 0133 : 
Web: http://www.axent.com 
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FrontPage 98 


Microsoft 

An impressive product designed for 
beginners and experts alike 

The latest version of Microsoft’s FrontPage Web authoring 
tool is becoming easier for the broadest set of users - begin¬ 
ner, advanced and professional - to use. It also adopts a more 
integrated approach to the many facets ofWeb publishing. 

FrontPage 98 has divided the authoring functions into 
three Areas — the editor, file manager and personal Web 
server. The editor provides page design and HTML format¬ 
ting tools. The file manager can display and verify links 
between files.The personal web server provides HTTP ser¬ 
vices in the background. 

The FrontPage 98 Editor is one of the few advanced 
editing applications to date in its delivery of comprehensive 
Web creations and management tools that are easy to use. It 
utilises all advanced Hyper Text Markup tags, including 
background sound, Microsoft’s own marquee tag, and all 
Netscape extensions known at the time of its release. Even 
though a Web year is only 2 months, no doubt Microsoft 
will release downloadable plugins for FrontPage 98. The 
Editor’s best function is its GUI user-friendly interface and 
design. Style and tools are logically grouped graphically. 

As with many web authoring applications which 
include style sheets, the professional web designer will not 
be impressed with the level of graphic treatment. Again, 
many graphic styles and conceptual designs are not suited to 
corporate use. Operators of FrontPage 98 will find the 
WYSIWYG tables and frames support superior to that of 
other Web authoring tools. FrontPage 98 has also included 
some of the latest developments in Web publishing such as 
Dynamic HTML Push Technology, Channel Definition 
Format (CDF) and Cascading Style Sheets (CSS). 

On the server side, the greatest asset to FrontPage 98 is 
letting Explorer (Microsoft’s browser) verify links within 
your site, but you can also use it to actually publish a site 
live on the Web if you wish (personally we wouldn’t). The 
product is not advanced enough to handle many simulta¬ 
neous connections and run time but it’s fine for testing and 
prototype purposes. 

Because web sites are becoming more database integrat¬ 
ed, using FrontPage s WebBots can have its advantages for 
self web publishing small businesses, but for major corpora¬ 
tions that use FrontPage, the application does allow the 
operator the option of creating forms using CGI scripts, 
rather than using FrontPage’s WebBots.You can also manage 
the file transfer dynamically using an FTP. 

One of the main advantages of using FrontPage 98 is site 
management ability. In updating a site or file published on 
a remote server, FrontPage 98 maintains deleted pages and 



■ Screen 1: 
The new 
Navigation View 
includes 
navigation bars 
and text based 
hyperlinks. 


files to the previous hyperlink and informs the operator of 
all redirected or missing links. 

You can even organise a site-building flowchart plan, 
using the new Navigation View, helping developers plan 
and organise the content and structure to their site, inclu¬ 
sive of navigation ban and text based hyperlinks. With con¬ 
trolled access privileges FrontPage 98 allows different 
workgroup members to work on different folders without 
editing other areas. 

FrontPage 98 is one of the few Web authoring/manage¬ 
ment tools that gives the operator the option of working 
locally or on a remote server over the Internet. Rename a 
GIF file on the server and all of the pages on the server that 
link to the file will be revised — great stuff for mundane 
maintenance tasks. 

FrontPage 98 has also included a supplement to page¬ 
editing and site-management tools with an Image 
Composer, a bitmap/vector graphics editor. There are some 
benefits for basic chores like converting JPEGs, but it also 
offers advanced features like colour filtration. Beginners will 
certainly find this facility useful, but those of corporate 
organisations will prefer the professional digital imaging 
applications. Microsoft’s New Intelligent Design-Assistance, 
which it claims will eliminate the need for programming 
knowledge or graphic design expertise, will produce the 
Token Gesture type ofWeb site which we in the Web pub¬ 
lishing industry have been trying to live down. 

Again, Microsoft has hit back at its competitors with an 
integrated web authoring and management tool on par 
with, if not better than, the most respected Web authoring 
applications. Coupled with its management ability and price 
of $169, it’s certainly first off the blocks in terms of choice. 
Web publishers will not be disappointed using this product. 

- Kevin Page 
neural.com.au / The Adtype Group. 


I LIST PRICE:] $169 

J CONTACT: | Microsoft 02 9870 2200 

http://www.microsoft.com 




























En Vuta Frontline Server 


Amdahl 

EnVista FS works effectively 
as a standalone or in a cluster 


Amdahl, well-known for its mainframe-size systems, offers 
three enterprise systems to the NT market: EnVista 
Frontline Server (FS), EnVista FS/R, and EnVista Server 
Model ES. This review looks at EnVista FS, a system for 
datamart, groupware, and intranet applications. Amdahl 
sells Envista FS as a standalone sys¬ 
tem or in a cluster configuration. 

EnVista FS is an excellent com¬ 
ponent in a cluster solution because 
it has built-in fault-tolerant fea¬ 
tures, such as two 420-watt power 
supplies (you can add a third power 
supply), error controlling and cor¬ 
recting memory, hot-swappable 
Ultra Wide SCSI-3 drive bays, and 
two embedded SCSI controllers to 
control the drive bays. These fea¬ 
tures also make EnVista FS a superb 
standalone system for mission- 
critical applications. 

You can easily upgrade a stand¬ 
alone system to a cluster solution 
using Microsoft’s Wolfpack, VERI¬ 
TAS FirstWatch, or NCR’s 
'LifeKeeper clustering solutions. In 
fact, EnVista FS is one of the few 
systems certified for Microsoft Wolfpack. (For more infor¬ 
mation, see Joel Sloss, “Cluster Server” August 1997.) 


package. You can get the system preconfigured from 
Amdahl with SQL Server, SMS Server, SNA Server, 
Symantec pcANYWHERE32, or Amdahl’s EnVista 
Database Gateway (which lets you connect two existing 
mainframe databases). 

A Solid Performer 

In the past several months, I’ve used 
EnVista FS for various projects in 
the Windows NT Magazine Lab. 
The system was a solid performer. 
Initially, I used this system as a bun¬ 
dled cluster solution. Later I used it 
as the host for fibre channel testing. 

The only problem I encountered 
was when I installed a RAID con¬ 
troller on the primary PCI bus. After 
I installed the RAID controller, the 
system insisted on initialising it 
before initialising the embedded 
SCSI controllers.This insistence pre¬ 
vented the system from booting 
from its internal hard drive. 

To solve this problem, I simply 
moved the RAID controller to the 
second PCI bus. A nice feature 
would be a BIOS option to let you control the initialisa¬ 
tion sequence of the embedded SCSI controllers and the 
PCI card buses. 



Amdahl's EnVista Frontline Server is a fast, 
reliable serverttiat is easily upgradeable. 


Performance Features 

EnVista FS offers many performance features, including 
four 200MHz Pentium Pros (each with 512KB of cache), 
dual PCI buses, and dual embedded Adaptec Ultra Wide 
SCSI-3 adapters. Other system features include support for 
up to 1GB of memory, 6 PCI slots, 4 EISA slots, 12 hot- 
swappable drive bays, a video graphics adapter (VGA) 
video connector, a 3.5" floppy drive, a CD-ROM, 2 RS- 
232 serial ports, a printer port, a PS/2 keyboard port, and 
a PS/2 mouse port. 

A nice-looking beige case with doors houses all these 
components. The 3.5" floppy and CD-ROM drives hide 
behind one door, and the 12 hot-swappable drive bays hide 
behind the other. The system I tested also included a 17" 
monitor, a mouse and a keyboard. 

Amdahl pre-installs Windows NT 3.51 or 4.0 and 
includes Intel LANDesk Server Manager in the EnVista FS 


AThumbs UP 

I was impressed with the Amdahl EnVista FS. I recom¬ 
mend that you give it serious consideration if you are look¬ 
ing for a fast, reliable server that you can easily upgrade. 
The price is comparable to similarly equipped systems 
from other vendors, and Amdahl is a reputable company. 

—Dean Porter 


| list PRICE: | $35,000 (includes two 4.3GB Seagate 
Barracuda hard drives and 512MB of 
memory) 



Amdahl 

ph:02 9561 9999 

Web: http://www.amdahl.com 
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| by MICHAEL E. CHACON ] 




Is on guard in Windows NT 5.0 


this security 
protocol can 
help keep 
intruders away 



f you were in the mythological Roman under- 
/ U world of Hades, you would have much to fear from 

B Kerberos. This ferocious three-headed dog guards 
m / Hades with six sharp eyes and many sharp teeth. 

But because you are in the real world, you don’t 
have to worry about Kerberos - unless you are a hacker. 

Besides being a mythological character, Kerberos is the new 
security protocol in Windows NT 5.0. It replaces the NT 
LAN Manager (NTLM) as the default authentication protocol 
in NT 4.0. (For more information about the relationship 
between Kerberos and NT 5.0, see the sidebar “How Kerberos 
Fits into the Windows NT 5.0 Security Model”.) 

Instead of three heads, NT’s Kerberos has a three-sided, 
shared-secret key authentication process that lets network 
users prove their identity without exposing information that 
could compromise network security. What do shared-secret 
key and three-sided mean? 

Shared-secret key denotes that two parties share the key, 
or the secret, to verify identities. In contrast, some encryp¬ 
tion schemes use a private/public key approach in which 
one party possesses two keys: a public key, which the party 
shares with those it wants to have access to its system, and 
a private key, which it shares with no one. These keys. 










How Kerberos Fits into the Windows NT 5.0 Security Model 


How does Kerberos fit into the big picture? NT 5.0 addresses Kerberos' three components - the KDC, 
client (Cl) program, and network server (SI) - in various ways. NT 5.0 implements KDCs on ea ch 
domain controller and substitutes the Kerberos term realm for the NT term domain. NT 5.0 integrates 
the KDC with the Windows NT directory service. The KDC uses the NT directory service as the 
account database for the clients' passwords and names. NT 5.0 implements Cl as a Security Service 
Provider (SSP) written to the Security Support Provider Interface (SSPI). The WinLogon service 
invokes the Cl SSP during the Ctl+Alt+Del sequence that NT uses to prevent Trojan Horse attacks. 

Specifically, Cl logs on to the NT domain (or Kerberos realm) with the WinLogon service and ob¬ 
tains the TGT encrypted with the Cl hashed password. Cl then obtains the TGT from the KDC service 
running on the domain controller. Cl stores the TGT with other user logon information in the work¬ 
station cache. When Cl tries to communicate with a network service, the client runtime checks the 
ticket cache for a valid ticket for that specific server. If a valid ticket isn’t available. Cl sends the TGT 
that it received from the logon process to the KDC to obtain a specific ticket for the desired server. Cl 
adds the session key and ticket to the ticket cache so that Cl can use the ticket for future sessions 
until it expires. 

The NT domain security policy determines ticket expiration. The default is eight hours. If a ticket 
expires during an active session, the client Kerberos SSP returns error codes internally and 
automatically renews the ticket. The Kerberos SSP then requests a new KDC-generated ticket with a 
shared session key, and the client resumes the connection with the server - all without user 
intervention. 

Kerberos is an identity authentication protocol, not an access control protocol. As a result, once 
the client and the server authenticate each other's identity, NT uses security IDs (SIDs) and access 
control lists for discretionary access to resources on the network. 

NT 5.0 Kerberos supports forwarding flags in the tickets. NT uses this feature to let servers with 
client tickets communicate with other servers on behalf of the client. The secondary server can also 
pass client tickets to other servers to continue the distributed delegation chain. This feature is 
important for distributed client/server applications, such as Systems Management Server (SMS) and 
Exchange Server. 

NT 5.0 supports the Kerberos KDC messages defined in KFC 1510 and the Generic Security Service 
API (GSS API) security formats (as defined in Request for Comments - RFC -1964) to provide 
interoperability with non-NT operating systems. The NT domain controller can refer a client from 
another network operating system to the KDC. The foreign clientthen requests a session ticket from 
the KDC. Because this request will probably not contain the SID-based authorisation information, NT 
5.0 lets the administrator map the UNIX Kerberos principal name to an NT account for authorisation 
information and to create a ticket for the foreign client 

Microsoft is working with the Internet Engineering Task Force (IETF) Common Authentication 
Technology (CAT) working group on extensions to Kerberos RFC 1510 to include private/public key 
technology to broaden foreign systems' ability to communicate securely with NT. If the RFC is 
extended, the NT KDC will be able to encrypt tickets with a client's public key obtained from an X.509 
certificate on an NT server, a third-party server (such as VeriSign), or even a NetWare directory 
service. This extension would let an administrator give a user outside the NT directory service 
permission to use an NT resource. 


encryption technique, a few hackers have 
cracked the code. So Kerberos also lets you 
use other encryption algorithms, such as 
triple DES. (For more information about 
how Kerberos’ evolution led to this feature, 
see the sidebar “A History Lesson”.) 

The second component in Kerberos’ 
authentication process is the resource that 
wants to ensure clients are legitimate. This 
resource is often a network server. 

The third component is the central 
repository for information about clients. In 
most cases, the repository is a Key 
Distribution Center (KDC) service. The 
KDC account database contains the iden¬ 
tities and master keys (i.e., passwords) of all 
nework clients and servers within the net¬ 
work’s administrative domain, or realm. 

To thwart unauthorised access to the 
database, the network server’s private mas¬ 
ter key encrypts all of the clients’ master 
keys. The administrators’ local KDC pass¬ 
word, in turn, protects the private master 
key. The KDC password is the last line of 
defense. A physically secure KDC is an 
essential component of an effective 
Kerberos system. 


together, verify identity. 

Three-sided signifies that the authenti¬ 
cation process involves three components, 
the first of which is the client (or the client 
application) representing the user. (For an 
illustration of how a client application 
would use Kerberos, see the sidebar “How 


Authentication Is Used in Network 
Applications”.) Kerberos uses Data 
Encryption Standard (DES) shared-secret 
key cryptography to authenticate clients in 
unprotected networks (i.e., networks that 
consist of unsecured host machines). 
Although DES has proved an effective 



Now that 
you know 
the com¬ 
ponents in 
the Kerberos 
process, let’s 
take a look at 
how they work 
together to 
authenticate 
clients within 

and 

between 









THE ONE WITH THE HIGHEST 
AVAILABILITY, DATA CENTER 
CLASS SUPPORT - AND REALLY 
GREAT ESCON CONNECTIVITY. 

Amdahl NT servers and your 
mainframe were made for each 
other. Because Amdahl endowed 
the new EnVista™ servers for 
Windows NT® with everything 
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A History Lesson 


Although Kerberos is new to NT 5.0, it has been around for quite some time. The Massachusetts 
Institute of Technology (MIT) developed Kerberos in the 1980s as part of the Project Athena Network. 
The Athena Project attempted to discover how to design, implement, and manage distributed 
computing environments. 

The first three releases of Kerberos were developmental versions, so MIT primarily used them. 
Kerberos 4 was the first version to leave MIT's confines. After Kerberos 4's release, many UNIX and 
Internet systems integrated this authentication protocol. 

As would be the case with any protocol exposed to different systems and unforeseen demands, 
new users encountered many limitations with Kerberos 4. For example, Kerberos 4 used DES 
encryption, but DES is illegal to export outside the United States and some users question whether it 
is a secure encryption methodology. 

Kerberos 4’s limitations became productive feedback for Kerberos 5. Kerberos 5 has many 
improvements, such as the ability to use triple DES or even other encryption algorithms of choice. 
Request for Comments (RFC) 1510 defines Kerberos 5. Although products with Kerberos 4 are still 
widely used, most new products, including NT 5.0, will feature only Kerberos 5. 


with the KDC for every network request. 
It also eliminates the need to send pass¬ 
words across the network because the user 
decrypts the ticket using his or her pass¬ 
word at the client location. 

Cl > KDC: {Cl Authenticator. SI. 
TimestamplKCl. KDC. {TGTC1. KDCJKKDC 

Translation: Cl is sending a request to the 
KDC to communicate with SI. Cl 
encrypts this request with the session key 
that it obtained from the KDC. The 
request contains Si’s name, the timestamp, 
and the TGT. 

Once the KDC receives this request, it 
decrypts the request with the session key 
to verify that the request came from Cl. 
The KDC then creates a new session key 
that Cl and SI will share. The KDC also 
creates a specific ticket to present to SI. 


How Kerberos Guards Your 
Network Within a Realm 

When a PC user wants to access informa¬ 
tion on a network server (SI) within a 
realm, the Kerberos-enabled client (Cl) 
contacts the KDC with a request for cre¬ 
dentials. This request triggers a chain of 
events that leads to the authentication of 

Kerberos uses messages to let each 
Kerberos component know what is occur¬ 
ring during the authentication process. In 
many cases, these messages are notated by 
symbols. Although many different symbol 
or code characters exist for notation, they 
usually follow a certain pattern, such as 

KDC > Cl = {12345JKC1. SI 


In this code, KDC > Cl specifies that the 
KDC is sending a message to Cl.The mes¬ 
sage then follows the colon. When the 
message is in brackets { }, it is encrypted; 
when a message is not in brackets, it isn’t 
encrypted. The letter K after the bracketed 
message represents the key, and the sub¬ 
script letters and numbers that follow rep¬ 
resent the clients and servers that can access 
the key. So the translation of the code 
KDC > {12345}KC1, SI is that the KDC 
is sending the encrypted message of 12345 
to Cl, and Cl and SI possess the key to 
decrypt the message. 



Understanding Kerberos code takes 
practice.To help you better understand 
the Kerberos code and process, here is 
a typical exchange between a KDC, 

Cl, and SI: 


Cl >KDC: Cl. KDC. Timestamp 


Translation: Cl is sending a plain-text mes¬ 
sage to the KDC requesting a ticket to 
communicate with SI.This message con¬ 
tains the client username, server or service 
name, and a timestamp. The purpose of the 
timestamp is to stop protocol sniffers (read¬ 
ily available devices for debugging net¬ 
works) from capturing packets and replay¬ 
ing the transmission later in an attempt to 
gain access to the server. 


KDC > Cl: {KC1. KDC. TimestampJKCI, 
{TGTC1. KDCJKKDC 


Translation: The KDC is sending back an 
encrypted message to Cl. The KDC 
encrypted the message with an algorithm 
using Cl’s password.The message contains 
a timestamped session key to use with the 
KDC and a general ticket, called a ticket¬ 
granting ticket (TGT), which Cl can use 
to obtain future tickets for specific services 
within the KDC’s administrative realm. 

The TGT eliminates the need to follow 
the entire client authentication process 









Quota Server: Windows NT Disk Quota Management 

When you move NT into production, you’ll see that NT lacks the essential ability to set disk quotas. Users would 
simply take up as much disk space as they like, and there was nothing you could do about it until now. 
Quota Server from Argent®solves this problem. 

Quota Server Manages the Explosive Growth of Disk Space on Your Network 

With the ever increasing connection to networks, users can now fill up a disk faster than ever. Without 
Quota Server you face a constant, ongoing and expensive battle. With Quota Server, the environment is 
managed for you - automatically. Set the quotas once, and Quota Server does the rest. A one-time 
investment in Quota Server removes your main NT problem once and for all. 

Buying More, More, and yet More Disks—the Gasoline-on-the-Fire Approach 

This approach makes some sense - a gigabyte is now under $300. But the weakness of this approach is that 
it just makes the problem worse - users are not discouraged from keeping old, useless files on-line. The 
real solution is Quota Server. 

+> Customize Reports, Monitor Multiple Servers Concurrently, Handle Huge Quotas 

Quota Server generates customizable reports. In an instant you will know who takes up what space, how 
much space is still available, etc. Quota Server can also monitor a large number of servers from the same 
window. With Quota Server, you can enforce quotas up to 2 terabytes in size. 

Quota Server is Flexible and Easy to Use — All Sites Need Quota Server 

Quota Server allows you. to set multiple levels of alerts, warnings, actions and pop-ups, as well as integrates 
with all common E-mail systems. Notifications can be sent to several persons at the same time. Quota 
Server is fully integrated into the NT File Manager and the new Explorer Shell in Windows NT 4.0, so that it 
is extremely easy to use. Quota Server is lab-tested, market-proven software. 

ARGENT SOFTWARE 001 - 860 - 489-5553 

Mainframe-Power Products for Windows NT www.argent-nt.com 

PERFORMANCE MONITORING & ALERTING • JOB SCHEDULING 
EVENT LOG SCANNING • DISK QUOTA MANAGEMENT 











How Authentication Is Used in Network Applications 


You can use cryptographic authentication to solve an important security 
problem found in many network applications: the transmission of passwords in 
plain text. Without cryptographic authentication, a client must identify itself by 
sending a plain-text username and password. 

For example, assume your Internet email account name is Harpo and your 
password is swordfish. If your email service has POP3, the service uses the 
following sequence of commands and responses to retrieve messages 
(C: denotes a message from the client to the server; S: denotes a response 
from the server to the client): 

C: (opens TCP connection to server on port 110) 

S: +OK POP3 Server Ready 
C: USER harpo 
S: +OK 

C: PASS swordfish 

S: +OK user/password acceptable 

If your email service has Internet Mail Access Protocol 4 (IMAP4), the service 
uses similar commands and responses to retrieve messages. In either case, 
anyone with access to your network and a network sniffer can easily see your 
valid username and password. Intruders can also use various software utilities 
(such as NT 4.0's Network Monitor) designed to access all network messages 
to learn your username and password. And the intruders don't even need to be 
on site. They can use a remote client to access your network if your LAN is 
connected to the Internet without adequate safeguards, such as a firewall. 

You don't have to fall victim to intruders, however. Several preventive 
measures exist, and the most common one is Kerberos. 

Fora Kerberos measure to work, you need to meet three requirements. 

First, you must have a properly installed Kerberos authentication server on 
your network. Second, the authentication server must recognise your mail user 
and email server. Third, your email client and server software must support 
Kerberos authentication. 

In POP3, the authentication process is in the optional AUTH command. (RFC 
1734 defines AUTH.) This command supports authentication with a variety of 
mechanisms. The basic idea is for the client to request cryptographic 
authentication via some scheme (in this example, Kerberos 4). 

If the POP3 server supports the AUTH command, the server and the client 
go through a short Kerberos challenge/response exchange, using information 
obtained from a common Kerberos authentication server or ticket-granting 
service. If the client supplies appropriate Kerberos credentials during the 
exchange, the server accepts the connection. 

With AUTH, the exchange between the client and server looks like this: 

C: (open TCP connection to POP3 server on port 110) 

S: +OK POP3 Server ready 
C: AUTH KERBEROS_V4 
S: + AmFYig== 

C:BAcAQU5EUkVXLkNNVS5FRFUAOCAsho84kLN3/ 

IJmrMG+25a4DT 

+nZlmJjnTNHJUtxAA+oOKPKfHEcAFs9a3CL50ebe/ 

ydHJUwYFd 

WwuQI MWiy6lesKvjL5rL9WjXUb9MwT9bpObYLGOKi1Qh 


S: + or//EoAADZI= 

C : DiAF5A4gA+oOIALuBkAAmw== 

S: +OK Kerberos V4 authentication successful 

In IMAP4,the authentication process is also optional. The basic IMAP 
standard (RFC 2060) contains the authentication definitions. With the 
authentication process, the exchange between the client and server looks like 
the following: 

C: (open TCP connection to IMAP4 server on port 143) 

S: * OK IMAP4rev1 Server Ready 
C: A001 AUTHENTICATE KERBEROSJ/4 
C: +amFYig== 

C-. BAcAQU5EUkVXLkNNVS5FRFUAOCAsho84kLN3/ 

IJmrMG+25a4DT 

+nZlmJjnTNHJUtxAA+oOKPKfHEcAFs9a3CL50ebe/ 

ydHJUwYFd 

WwuQI MWiy6lesKvjL5rL9WjXUb9MwT9bpObYLGOKi1 Qh 
S: + or //EoAADZI= 

C= DiAF5A4gA+oOIALuBkAAmw== 

S: A001 OK Kerberos V4 authentication successful 

Five important events occur when you use a Kerberos authentication 
process: 

1. The server knows that the client is who it claims to be. 

2. The client knows that the server is who it claims to be. 

3. The client and server securely exchange a DES session key. 

4. At no time is the user's name or password sent over the Internet in plain 

5. If a third party records the exchange, it cannot play back the message to 
obtain fraudulent access to the system because timestamps are used in 
the exchange. 

You can further benefit from the authentication process if you take 
advantage of an option in POP3 and IMAP4. Ordinarily, authentication 
processes create a DES session key for one particular connection - the key 
is never used again. In POP3 and IMAP4, however, you can implement a 
protection mechanism that will let you use a DES session key to encrypt all 
subsequent messages. This protection mechanism will prevent hackers 
from impersonating a valid user and from viewing the contents of emails 
(regardless of whether traffic has been secured with end-to-end encryption 
schemes). Unfortunately, the protection mechanism is in effect only for data 
being exchanged between an email client (user agent) and the local server. 
In addition, it works only during email retrieval. 
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This ticket contains the client/server shared 
session key, Cl’s name, Cl’s network adapter 
card address, the ticket’s life span, and the 
timestamp. Finally, the KDC encrypts the 
new session key and the ticket. 

KDC > Cl: {KC1, SI, TimestamplKCI. KDC. 
{TicketSlJKSI 


session key. SI then uses its own password 
to decrypt the ticket and retrieves its copy 
of the shared session key. SI uses the shared 
session key to decrypt the timestamp 
authenticator to see when Cl sent the 
ticket. If Cl sent the ticket recently, SI 
trusts that the KDC generated the ticket 
and authenticated Cl. 


Translation: The KDC is sending the en- SI > Cl: {Cl Authenticator}KCl. SI 
crypted new session key and ticket to Cl. 



Cl > SI: {Cl AuthenticatorlKCl. SI. 

{Tickets! }KS1 

Translation: Cl is sending the encrypted 
ticket to SI along with a timestamp 
authenticator encrypted with the shared 


Translation: SI is encrypting and sending 
Cl’s original timestamp authenticator back 
to Cl. Cl decrypts the time-stamp 
authenticator with the shared session key, 
verifying that the authenticator must be 
from SI because only SI could have 
decrypted the original ticket, obtained the 
session key, and used the key to encrypt the 
timestamp authenticator. Cl and SI have 
now authenticated each other as being 
who they say they are and communica¬ 
tion can ensue between them. 


How Kerberos Guards Your 
Network Between Realms 

The authentication of clients between 
realms isn’t all that different from authenti¬ 
cation within a realm. Each realm has its 
own KDC and ticket-granting service. 
Instead of creating a separate account in 
each realm for the same user, Kerberos lets 
realms register with each other to pass 
authentication requests among the 
KDCs. 

In realm-to-realm authentication, Cl 
contacts the KDC to create a session 
key to communicate with the remote 
KDC. The KDC then sends Cl a 
ticket to contact the remote 
KDC. Cl then obtains a ticket 
from the remote KDC to com¬ 
municate with servers or ser¬ 
vices in the other realm. 

With NT 5.0, you don’t need direct 
registration between every realm. NT 5.0’s 
Kerberos supports a hierarchy of realms so 
that a client can contact one realm, which 
knows of another realm, and so on, until 
the client locates the remote KDC that can 
issue a ticket for the server in the desired 
realm. (In contrast, earlier versions of 
Kerberos used in UNIX and on the 
Internet require direct registration.) 


Even the Mighty Sometimes 
Falter 

Although Kerberos is an effective tool to 
prevent unauthorised network access, no 
protector is fail-safe. Even the three-head¬ 
ed dog was thwarted on several occasions. 
Hercules, for instance, tore Kerberos from 
the underworld one time and dragged the 
dog to the surface. 

The Kerberos authentication process is 
susceptible to several problems. For exam¬ 
ple, Kerberos can fall victim to password 
dictionary attacks if the client chooses a 
password that others can easily discern. 
NT provides some administrative tools, 
such as account lockout and complex 
password policy enforcement, to deal with 
this issue. Another weakness of Kerberos is 
that the KDC must be physically protect¬ 
ed. Improper handling or unsuitable envi¬ 
ronmental conditions will negate any 
assurance of client authentication. 

You also need to consider the human 
element in your network’s security. The 
mythical Kerberos succumbed to bribes of 
cake by Ulysses, who retrieved some of the 
dead from Hades while the dog was dis¬ 
tracted. Similarly, people can succumb to 
modern-day bribes, so the KDC server 
needs to be in a locked facility. Although 
this issue is beyond the scope of Kerberos’ 
protocol, you must consider it to ensure a 
secure system. 

I don’t want to scare you away from 
using Kerberos with this discussion about 
what can go wrong. Rather, I want to pre¬ 
pare you for what might occur. If you 
properly set up Kerberos and address 
Kerberos’ weaknesses, including the 
human element, you will have a ferocious 
Kerberos guarding your network from 
unwanted visitors. □ 
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worst nightmare - proactively protect your NT network 


n the past, some users considered Windows NT 
to be bulletproof because no one had publicly 
revealed any of the various ways to break NT’s 
security. But let’s face the facts: NT isn’t even 
close to being bulletproof — nor is any other 
commercial mainstream operating system. 
Hackers are discovering security holes in NT at an alarm¬ 
ing rate. Since March alone, they’ve found more than 20 
new holes in NT or an associated application. And you can 
expect this rate to climb because former UNIX-only hack¬ 
ers are now turning their attention and expertise to NT. As 
one notable hacker recently said, “NT is sexy and attractive 
to hack.” 

More Than One Way to Protect Your OS 

One way to protect NT against hacker attacks is to load the 
latest Service Pack (SP) and the associated hotfixes as 
Microsoft releases them. However, this solution will work 
only if you can load the current SP without breaking NT. 
SP2 is a perfect example of how an SP might render NT 
useless in one fell swoop, turning a seemingly harmless 
upgrade into an adventure in recovery. 

In addition, SPs and associated hotfixes aren’t always 
timely and effective. For example, to combat an attack 
called GetAdmin, Microsoft developed a post-SP3 hotfix, 
but by the time Microsoft released it, hackers had devised a 
new way to perform the same exploit. So Microsoft 
released an updated hotfix the following week. The second 
hotfix stopped the GetAdmin attack, but it didn’t prevent a 
similar attack from crashing an NT system. (For more infor¬ 
mation about Microsoft’s reaction to security holes, see the 


sidebar “Microsoft Needs a Different Approach to Security 
Risks,” page 48.) 

So what if you can’t load the latest SP or hotfixes or you 
want to intensify security? If you study the nature of a given 
exploit, you can discern ways to protect your NT network 
without relying on Microsoft to deliver a patch. But pro¬ 
tecting your network without a vendor’s help requires basic 
knowledge ofTCP/IP and NT architecture and operation. 
So if you’re unfamiliar with how TCP/IP traffic works, 
what packets look like, and how NT handles security, you 
need to learn about TCP/IP and NT first. 

Avoid Dangerous Attacks 

As I mentioned, hackers have exploited more than 20 secu¬ 
rity holes in NT and associated applications since March. 
I’ll go over some of the more dangerous attacks and how to 
prevent them without the use of SPs and hotfixes. To give 
you an idea of just how fast new problems are surfacing, I’ll 
include (in parentheses) the month the risk was revealed to 
the public and the NT systems affected. Some security risks 
reside in applications and not the NT OS. These applica¬ 
tion-based risks are NT security risks because they pose an 
inherent danger to overall network security. 

Bandwidth hogging with chargen 
(July: NT 4.0 Server and Workstation) 

A hacker can launch a bandwidth-hogging attack by send¬ 
ing User Datagram Protocol (UDP) packets to the subnet 
broadcast address (X.X.X.255) using chargen port 19. In 
most cases, the hacker also falsifies the source IP address. 
Once the hacker launches the attack, every NT machine on 
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Microsoft Needs a Different Approach to Security Risks 


What is Microsoft doing to close security holes as people discover and report them? If Windows NT 
is Microsoft's flagship product, the company ought to be guarding NT with all the resources it has, 
scouring all associated code to look for ways of breaking in and crashing the system. The result 
would be Microsoft's beating the hackers to the punch. 

Unfortunately, I don't see Microsoft taking this approach. Even when handed an exploit, complete 
with source code, on a silver platter, Microsoft still doesn't find all the ways hackers could use the 
code. This lack of attention indicates that Microsoft isn't seriously trying to find new holes. GetAdmin 
is just one of several cases in point. Microsoft released two hotfixes for the GetAdmin exploit over the 
course of 10 business days and still didn't fix all the associated problems! After the second fix was 
released, users quickly revealed that yet another related problem could quite easily crash an NT 
system entirely. The egg on Microsoft's face could have been avoided with a shield of diligence. 

Microsoft is merely putting out the fires as legitimate researchers and would-be intruders discover 
them. Microsoft's security team could be much more proactive-like fire spotters looking for 
smoldering problems before they get out of control. 

Furthermore, contrary to popular belief, Microsoft does not always reveal all the necessary 
information about a particular security exploit. In fact Microsoft sometimes understates the potential 
dangers. The GetAdmin attack is an example. Microsoft claims this exploit is only a local attack 
problem, when a hacker can easily run GetAdmin remotely if an NT system is running on a Web or 
Telnet server. A hacker can launch the GetAdmin attack from a remote browser by placing the 
GetAdmin.exe program in the IIS /scripts directory. Similarly, giving people Telnet access to an NT 
system means that a hacker could launch the attack using a Telnet client. 

Microsoft's practice of downplaying the severity and potential of a given exploit simply must stop. 
This practice is placing all NT users in more jeopardy than necessary. Not completely revealing the 
full scope of a security exploit makes no sense. The correct information always turns up quickly on 
the Internet anyway-so why try to downplay security risks? 


the network responds to the broadcast, 
which creates a flood of UDP packets that 
eat up network bandwidth. The more NT 
systems you have on the network, the 
worse the packet flood becomes. 

Preventing this attack is easy: disable the 
chargen service. You use the chargen ser¬ 
vice only to generate a steady output of 
characters for testing purposes, so disabling 
it doesn’t affect network performance. 

To stop the chargen service, disable the 
Simple TCP/IP Service in the Control 
Panel, under Services. This step not only 
disables the chargen service, but also the 
echo, daytime, discard, and quote-of-the- 
day services - any of which hackers could 
use for the bandwidth-hogging attack. 
Although none of these services is required 
for proper network operation, you might 
find a particular service useful. For exam¬ 
ple, you might want the echo service oper¬ 
ational if your network monitors occasion¬ 
ally test the echo port when they cannot 
get a response to a ping. You can run one 
or more services while turning the others 


off by adjusting the Registry entry found 
in the subtree HKEY_LOCAL_ 
MACHINE\System\CurrentControlSet\ 
Services\SimpTcp\Parameters.To disable a 
particular service, change the established 
value of both the EnableTcp 
XXXX and EnableUdpXXXX parameters 
(where XXXX is the service name) from 
Oxl to 0x0. 

Gaining administrator access with GetAdmin 
(July: NT 4.0 Server and Workstation) 

A Russian programmer discovered and 
revealed the GetAdmin attack. It is one of 
the most important discoveries in NT 
security breaches because it is the most 
commonly used attack against Windows 
OSs. The attack comes in the form of a 
program that, when run, adds any user to 
the Administrators group. 

According to Microsoft, a hacker needs 
direct access to the NT system’s keyboard 
and console to launch the GetAdmin 
attack. But if a particular NT system is run¬ 
ning a Web or Telnet server, a hacker can 


use a remote Web browser or Telnet client 
to launch the attack. 

You need a combination of tactics to 
prevent the GetAdmin attack. Start by pro¬ 
tecting access to the local console. First, 
adjust the User Rights so that only trusted 
network administrators can log on to the 
local console. Second, never assign a user 
the right to debug a process unless 
absolutely necessary. 

To prevent a remote GetAdmin attack, 
don’t let users place unknown or untested 
programs in a Web server’s /scripts directo¬ 
ry. If you can’t analyse and compile the 
source code, don’t use the program. 
Furthermore, providing Telnet access to an 
NT system is extremely risky, so don’t per¬ 
mit access. 

Fragmenting with POD 2 (June; NT 3.51 and 
4.0 Server and Workstation) 

The Ping of Death (POD) 2 attack is a 
variation of the previously discovered 
POD 1 attack. Both versions involve send¬ 
ing Internet Control Message Protocol 
(ICMP) packets to an NT system. These 
packets fragment, causing the NT system 
to lock up. Whereas POD 1 sent one 64KB 
ICMP packet, POD 2 sends a barrage of 
64KB ICMP packets.The barrage of pack¬ 
ets causes Win95 and NT systems to lock 
up cold without warning. 

Preventing this attack involves blocking 
all inbound ICMP traffic on your routers 
to bordering untrusted networks. If you 
use Remote Access Service (RAS) instead 
of a router, install the newer Routing and 
Remote Access (RRAS - formerly Steel- 
head) software. With RRAS, you can 
establish a packet filter that permits access 
to only the necessary ports, such as those 
used by Web and mail servers. 

Denying service to Internet Information 
Server - IIS (June; IIS 2.0 and 3.0) 

Hackers can crash IIS by sending abnor¬ 
mally large (4KB or more) universal 
resource locators (URLs) to the server. 
According to Microsoft, this attack is a very 
specific boundary condition that occurs 
during parsing of the headers. The end of a 
token (method, URL, version, or header) 
must be exactly at 8KB, followed by a sec¬ 
ond token. The maximum header buffer 
for IIS is 8KB; IIS throws out anything 
beyond that limit as an invalid request. In 
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this scenario, an index gets misinterpreted 
as a pointer that, in reality, doesn’t exist. 

Preventing this attack without a hotfix 
might be next to impossible. Some experts 
theorise that an Internet Server API 
(ISAPI) filter could be written to intercept 
such a long URL, but no one has written 
and released such a filter yet. On the bright 
side, this attack is difficult to launch suc¬ 
cessfully because each IIS server requires a 
slightly different URL length to make it 
crash. However, a sly programmer could 
write code that would continually try var¬ 
ious URL lengths until IIS crashes. So if 
your Web server is exposed to the Internet 
as a matter of convenience and not neces¬ 
sity, I highly recommend disconnecting it 
from the Internet unless you can load the 
hotfix. 

Denying Service to Domain Name System— 
DNS (May ; NT 4.0 with DNS) 

Hackers can make DNS crash by re¬ 
directing the output of the chargen service 
to the DNS service. They launch the attack 
using a command such as 

$ telnet ntbox 191 telnet ntbox 53 

This UNIX command first opens a Telnet 
session on chargen port 19 on the system 
named ntbox. The command then redirects 
all output to a second Telnet session 
opened on DNS port 53 on the same 
ntbox. This setup creates a never-ending 
loop of meaningless data flow, which crash¬ 
es the DNS service. Launching the attack, 
however, can temporarily subject the hack¬ 
er to the same barrage of packets that the 
DNS service will experience. 

One way to prevent this attack is to dis¬ 
able the chargen service. You can disable it 
using the procedures I outlined in the 
bandwidth-hogging exploit. 

Exposing passwords with the Index Server 
(May.- NT 4.0 Server and Workstation with IIS) 

The Index Server is Microsoft’s search 
engine for IIS. Although the Index Server 
is useful, a danger lies in its webhits.exe 
program. This program highlights those 
words used in the search query in the 
retrieved documents, but it also, unfortu¬ 
nately, lets the Web server read files that 
would not ordinarily be available for read¬ 
ing. If the systems administrator leaves the 



default sample files on IIS, an intruder can 
easily narrow the search for a username 
and password. 

To prevent this attack, you can remove 
the webhits.exe program from the server. 
Another approach is to move the web¬ 
hits.exe program out of the server’s default 
installation directory and into any other 
directory. However, this will only make 
locating a username and password more 
difficult for the intruder. In addition, you 
can customise your Index Server search 
pages and scripts (.idq files) so that the .idq 
files search only those pages you want 
searched, such as .htm or .html files. 

Sending out-of-band data (May; NT 3.51 and 
4.0 Server and Workstation) 

Although Microsoft publicly announced 
the existence of the out-of-band attack in 
May, certain Internet circles have known 
about it for more than a year. Internet 
Relay Chat (IRC) users often use this 
attack against other IRC members, making 
it the second most commonly used attack 
against Windows OSs. 

To launch this attack, hackers send out- 
of-band data to port 139 (the NetBIOS 
session port) or another port. The OS 
doesn’t know how to handle the out-of- 
band data, so it crashes. NT then displays 
the infamous Blue Screen of Death, iden¬ 
tifying TCPIP.SYS as the culprit. 

Preventing this attack is difficult because 
hackers can send out-of-band data to one 
of many ports. The most popular is port 
139, but even sending out-of-band data to 
DNS TCP port 53 can cause the DNS 
server to crash. I recommend that you 
block access to UDP port 137, UDP port 
138, and TCP 139. You can block access by 
using RRAS packet filtering technology, by 
taking advantage of NT’s built-in TCP/IP 
filtering security, by unbinding NetBIOS 
from your network cards exposed to the 
Internet, or by blocking access to these 
ports on your routers to bordering untrust¬ 
ed networks. To prevent this attack from 
being launched against a DNS server, don’t 
run DNS. Instead, use a DNS service based 
on a Berkeley Internet Name Domain 
(BIND) port for UNIX (such as Metainfo’s 
MetalP) or BIND port for NT. 

Accessing a Registry with RedButton (April; 
NT 4.0 Server and Workstation) 


Midwestern Commerce released an exam¬ 
ple program called RedButton that 
demonstrates a vulnerability in NT. The 
program lets anyone with Microsoft net¬ 
working access to an NT server connect to 
that NT system and read the Registry. 
RedButton reveals the resources available 
to the Everyone group, determines the 
name of the built-in Administrator account 
(even if it has been renamed), reads various 
Registry entries (revealing the registered 
owner’s name and other information), and 
lists all shared resources (including hidden 
shares). In short, RedButton divulges sen¬ 
sitive information about an NT system. 

To prevent RedButton or similar 
attacks, you need to block access to UDP 
port 137, UDP port 138, and TCP port 
139 on your routers to bordering untrust¬ 
ed networks. To block access, follow the 
same recommendations I gave in the out- 
of-band data attack. You can also stop the 
Server service, but your NT box will be 
unable to share resources. 

Another possible solution is editing the 
Registry, using regedt32.exe. To do this, 
you first need to open HKEY_LOCAL_ 
MACHINE\System\CurrentControlSet\ 
ControlXSecurePipeServers and create a 
key called winreg if it doesn’t already exist. 
Next, set the security on the winreg key so 
that the Everyone group access is not fist¬ 
ed. You might want to fist, for example, the 
Administrator group instead. (Do not 
define the Everyone group with the NO 
ACCESS privilege. This privilege locks out 
all accounts.) Then close the editor and 
reboot the system. 

As these examples show, you can usual¬ 
ly prevent even the most dangerous attacks. 
You just need to learn exactly how the 
attack assaults NT and then look for ways 
to prevent it, such as blocking ports and 
changing user permissions. With practice, 
you’ll become adept at keeping unwanted 
visitors out of your NT network. □ 
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Maintaining 

Secure Exchange 
Servers , 


Fortify your messaging security with 
Exchange's advanced security features 


don’t v 


essaging systems can contain all sorts of 
information. Exchange Server lets you 
store nearly any type of file in user mail¬ 
boxes or public folders. Because you 
it other people browsing through your mailbox 
or accessing public folders that they shouldn’t, maintain¬ 
ing a reasonable level of security is in your best interest. 
This article examines the essential aspects of security 
within an Exchange environment and Exchange 5.0’s 
advanced security features. 

Mailbox Security 

Before an Exchange server accepts any request to 
connect, the client must provide satisfactory credentials. 
The client establishes credentials when it attempts to 
connect to the Information Store service. At that point, it 
must provide the name of a known Windows NT account 
and its password. If the user has already logged on to the 
network and has credentials (the access token an NT 
domain controller grants), the Exchange server uses those 
credentials and doesn’t display a logon screen. Screen 1, 
page 54, shows a logon in progress. 

A user must log on if credentials are not available, if 
the server has rejected the existing credentials (e.g., the 
account has been locked out since the last logon), or if the 
client is set to ignore any existing security data during 
logon. The last check box on Screen 2, page 54, deter¬ 
mines whether Exchange will use the existing credentials. 

Clients never transmit password information during 
logons; instead, both client and server do everything on the 



basis of a shared secret - the 
account password. At 
the simplest level, the 
server encrypts 
with the password and sends the encrypted string to the 
client, which uses its knowledge of the password to 
decrypt the string. The client then sends the decrypted 
string back to the server, which checks the return value 
against its original transmission. If both strings match, the 
server accepts the credentials and establishes an authenti¬ 
cated connection. Of course, this interchange does not use 
a simple text string. The interchange incorporates some 
additional one-time data to stop hackers from decrypting 
intercepted strings. 

Similarly, a shared secret maintains security within a 
site. In this case, the secret is the name and password for 
the Exchange service account. Without knowledge of the 
secret for the service account, you can’t install a new 
server into a site. Exchange checks the name and password 
when the Exchange services (such as Mail Transfer Agent 
- MTA, store, and system attendant) start after a system 
reboot. Without the secret, a rogue server cannot join a 
site and begin to replicate data you’d rather not share. 

NT accounts that hold the appropriate permissions 
can override basic mailbox security and connect to a 
mailbox. This feature is beneficial in some cases, such as 
when people leave the organisation and you want to 
recover messages from their mailboxes. This feature is a 
problem in other cases, such as when systems administra¬ 
tors gain unauthorised access to mailboxes to read mail 
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■ Screen 1: 
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Exchange 
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Exchange client 
connection 



■ Screen 3: 
Amending the 
permissions for a 
public folder 


they shouldn’t. Exchange logs all such 
accesses in the NT event logs with identi¬ 
fier 1016; a good idea is to regularly check 
the event logs for such instances. 

Administrative Permissions 

Sometimes Exchange administrators get 
confused between NT’s admin and permis¬ 
sions admin permissions. The difference is 
simple: the admin permission lets an NT 
account perform administrative functions 
for Exchange, such as starting an Exchange 
service or maintaining the contents of the 
directory. The permissions admin permis¬ 
sion inherits all the power of the admin 
permission and lets an NT account grant 
other permissions to itself and other 
accounts. Permissions admin can be 
dangerous; for example, rogue administra¬ 
tors can give themselves Send As permis¬ 
sion on a mailbox, which lets them 
connect to a mailbox and send messages as 
if they were the mailbox’s real owner. Ex¬ 
change’s advanced security features prevent 
rogue access to messages secured through 
encryption, but they can’t stop an adminis¬ 
trator connecting to a mailbox if the 
administrator has that permission. The 
lesson here is simple: don’t allocate 
permissions admin to anyone without 
good reason. 

Sensibly deployed, NT permissions can 
provide another level of protection. For 
example, NT administrative permissions 
are required only to install or upgrade 
Exchange software. They are not required 
for day-to-day administration tasks on an 
Exchange server. Therefore, you can allo¬ 
cate different levels of permissions to 
different administrators and restrict the 
most powerful permissions to a select 
group. If you use this restriction, you 
prevent rogue Exchange administrators 
who gain unauthorised access to users’ 
mailboxes from covering their tracks by 
clearing the NT event logs — assuming, 
that someone actually checks the event 
logs to uncover such instances. 

Exchange and Outlook clients 
(Messaging API - MAPI - clients) connect 
to the Exchange server with remote 
procedure calls (RPCs). By default, the 
RPCs transmitted between client and 


server are not encrypted; however, a 
setting on the client can cause the RPCs 
to be encrypted with a 40-bit algorithm 
when connected either over a LAN-type 
connection or via dial-up networking. 
The Advanced tab shown in Screen 2 is set 
to encrypt information passed over the 
network. Using encrypted RPCs prevents 
an eavesdropper from reading an inter¬ 
cepted RPC without a great deal of effort 
at the cost of additional overhead. The 
overhead isn’t enormous and probably 
wouldn’t be noticed by users connected 


by a LAN; however, when users are 
connected over a slow dial-in fink, the 
overhead is more noticeable - and 
encryption is even more desirable. 

Public Folder Security 

The permissions for each public folder 
control that folder’s security. You set 
permissions either through the Exchange 
administration program or through the 
client - select the Permissions tab from the 
folder’s Properties dialogue box, as shown 
in Screen 3. 
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ENCRYPTION BETWEEN EXCHANGE SERVERS 


Exchange advanced security is not designed to protect communications 
between servers and sites within an organisation. Internal protection 
schemes depend on the type of connection and the protocols that flow 
across the connection. Within a site, all communication between 
Exchange servers is remote procedure call (RPC)-based; the same is true 
when sites connect using the Site Connector or Dynamic RAS Connector. 
RPCs are encrypted on the wire as they pass between servers, using 
either a 40-bit algorithm (international systems) or 128-bit algorithm 
(North American systems). 

Servers that connect with RPCs authenticate each other to ensure that 
a would-be intruder can't introduce a rogue server into an organisation 
to steal data. Authentication uses standard Windows NT 
challenge/response handshakes exchanged between servers. If an 
Exchange server cannot be authenticated, any request to connect to 
another Exchange server is refused. 

Because the Simple MailTransfer Protocol (SMTP) and X.400 recom- I 
mendations do not incorporate encryption technology, data isn't 
encrypted as it flows between servers.The ability to specify MailTransfer | 
Agent (MTA) passwords affords some level of protection to sites that 
connect with X.400 connectors, but SMTP servers don't expect to give a 
password before they can send messages to another system. 

Given the increasing importance of Internet protocols to Exchange, ] 
Microsoft now provides extra security for sites connected with Internet a 
Mail Server (IMS) through Extended Simple MailTransport Protocol 
(ESMTP) in Exchange 5.0. ESMTP allows vendor-specific extensions, and 
Microsoft uses this feature to support 40-bit or 128-bit encryption, much 
like RPCs.Today, this extension works between only Exchange 5.0 (or 
later) servers-it doesn't encrypt connections between ISM and other 
SMTP servers, such as Digital's AltaVista Mail Server. Cross-vendor 
encryption for SMTP mail systems will be possible only when the indus¬ 
try agrees on a standard. Although the industry is working toward that 
standard, it is unlikely to be finalised in the next year. 


Clients connect to one or more mail¬ 
boxes. Exchange always knows a primary 
mailbox and uses the full direc¬ 
tory name (an X.500-like name) for the 
primary mailbox to gain access to public 
folders. A full directory name, also known 
as a distinguished name (DN), looks like 
this example: 

Cn=Digital Equipment Corporation; 

cn=Dublin:cn=Recipients ; cn=TonyR 

Once you know a little about Ex¬ 
change organisational design, interpreting 
the DN is easy. The example mailbox 
belongs to an organisation named Digital 
Equipment Corporation; it’s held in the 
Recipients container of the Dublin site, 
and the mailbox belongs to a user whose 
alias name is TonyR. 

When a client attempts to access a 
public folder, Exchange checks the DN 
against the folder’s access control list 
(ACL). The ACL lists DNs and the 
permissions they hold, so Exchange can 
easily validate whether a user can access a 
folder, and identify the user’s level of 
access. Exchange 5.0 simplifies life 
because it lets you replicate a whole set of 
permissions through the tree of a folder 
and its subfolders. 

Because distribution lists reside in the 
directory, they have DNs, too. Users 
inherit access permissions for a folder by 
their membership in a distribution list. 
Using distribution lists to control access to 
public folders is very effective, because you 
avoid amending individual memberships 
as people join or leave an organisation or 
as responsibilities change. Exchange uses a 
system of backward pointers to link indi¬ 
vidual membership to a distribution list, so 
any permission change is active for all 
users as soon as you make the change. 
Also, you can offload distribution list 
maintenance to users and free a systems 
administrator’s time. 

Screen 3, shows the ACL for the Ex¬ 
change Server Information public folder. 
Many of the entries in the ACL are for 
individual mailboxes, but the entry whose 
display name is Technical Direct is a distri¬ 
bution list that my consulting group uses 
to grant read-only access to the folder. 



Exchange's Advanced 
Security Features 

Exchange has two major advanced security 
features: message encryption and decryp¬ 
tion, and digital signatures. Exchange’s 
advanced security features are based on 
software that Microsoft has licensed from 
both Entrust Technologies and RSA Data 
Security, augmented with new or modified 
code developed within Microsoft. 
Exchange divides the security workload 
between clients and server. Clients 
perform all encryption and decryption and 
apply digital signatures. The server keeps 
track of the users who are entitled to use 
advanced security and management opera¬ 
tions, such as the allocation and revocation 


of security certificates. I’ll describe these 
certificates and the part they play in 
advanced security later in this article. 

Mail applications usually secure email 
through asymmetric encryption, which uses 
a pair of keys — one private and one public. 
The keys share a mathematical relationship, 
but deriving one key from the other is 
extremely difficult. Therefore, distributing a 
user’s public key to anyone who wants to 
send that user encrypted messages is safe 
and doesn’t compromise the private key. 
The user views the encrypted information 
with the private key. 

With a single-use bulk key generated 
on demand, Exchange encrypts message 
contents in a symmetric encryption, 
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which means that Exchange uses the same 
key for encryption and decryption. The 
bulk key uses a 40-bit, 56-bit, or 64-bit 
algorithm, depending on the country in 
which the software is licensed. The 56-bit 
and 64-bit algorithms are only available in 
the US and Canada; France permits no 
encryption software. 

Historically, the US banned the export 
of strong encryption algorithms on the 
basis that foreign parties could use 
encrypted data against US interests. 
Exchange 5.0 complied with the US 
restrictions in place at the time the soft¬ 
ware shipped. In June 1997, Microsoft 
obtained a license to export 128-bit 
encryption technology, and the company 
will use the stronger algorithms in Web- 
based commerce, specifically in extensions 
to the SSL (Secure Sockets Layer) and 
transport-layer security (TLS) protocols. 
Microsoft will incorporate the new algo¬ 
rithms into Internet Explorer (IE) and 
Internet Information Server (IIS), but the 
company has not made an announcement 
in relation to Exchange. 

Additionally, each recipients public 
key encrypts the encryption key for 
the message. In effect, this layer of encryp¬ 
tion creates a lockbox or outer wrapper 
for the message. The algorithm that builds 
the lockbox is based on 512 bits and is 
much stronger than the base encryption. 


Because of the computational power 
required, using such strong encryption is 
realistic only when encrypting a small 
amount of data. The message recipient uses 
the private key to open the lockbox, 
retrieve the bulk key, and decrypt the 
message. In effect, a hybrid combination of 
symmetric and asymmetric encryption 
protects messages. The bulk encryption 
algorithm is either CAST (from Entrust) or 
DES, while the public-key algorithm is 
RSA. 

Digital signatures are like an electronic 
stamp or seal placed on a document. 
The seal affirms that a particular person, or 
someone with access to that person’s 
private signing key, has sent the message. 
You can create a checksum for the 
message by feeding the message contents 
through an algorithm and encrypting the 
result with a private key to create a digest 
of the message. You can verify the check¬ 
sum at any time by decrypting the digest 
with a user’s public key. If anyone has 
changed the message content since it was 
sent, the checksum fails. Thus, digital 
signatures allow non-repudiation of 
messages, provide a level of confidence 
that a known individual sent the message, 
and guarantee that messages have arrived 
in the same form the originator sent. 
Exchange uses the MD5 algorithm (from 
RSA Data Security) for digital signatures. 


The Exchange 
Certification Authority 

I’ve mentioned private and public keys 
often. Because of the way Exchange 
manages keys, you must think through 
how you’ll deploy Exchange’s advanced 
security features. 

Exchange uses two pairs of keys - one 
pair for digital signatures and the other 
pair for message encryption. To hold the 
public and private keys, Exchange uses a 
system of X.509 certificates, which a 
Certification Authority (CA) issues and 
controls. In an Exchange organisation, the 
Key Management (KM) Server is the CA. 
Only one KM Server can issue certificates 
in an organisation. The first KM Server 
you install creates the CA object in its site 
configuration container as Screen 4, 
shows. As you replicate configuration data 
between sites, the other sites in the organ¬ 
isation learn of the existence of the CA, 
thereby preventing another KM Server 
from creating another CA. 

You must be certain that you install the 
first KM Server in the right place. Because 
the server hosting the KM Server holds 
the security database for your organisa¬ 
tion, you need to physically secure and 
protect it from unwanted interventions. 

The Exchange directory stores the 
X.509 certificates. When a user mailbox 
is enabled for advanced security, Ex- 
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change stores the X.509 certificate in¬ 
formation as attributes of the mailbox. 
Each certificate requires about 700 bytes 
of memory. Before an Exchange or 
Outlook client tries to send an encrypted 
message to a recipient, it checks to 
see whether an X.509 certificate exists. If 
the certificate is unavailable, the client 
refuses to send the message. X.509 
certificates hold the public key for a 
recipient, so if the public key is unavail¬ 
able, a message cannot be encrypted. 

Although logical, this approach is 
sometimes difficult for users to under¬ 
stand, especially if they try to send a 
message to a distribution list that has both 
Exchange and external recipients. In this 
scenario, Exchange encrypts the message 
for the Exchange recipients who have 
enabled advanced security, but Exchange 
won’t send an encrypted message to the 
external recipients because Exchange 
doesn’t know their public keys. 

Similarly, the check against the direc¬ 
tory lets the client determine what 
encryption algorithm to use for a message. 
If a North American client sends a 
message to other people who also use 
North American clients, the client can use 
56-bit or 64-bit encryption; however, as 
an international client is involved in 
Australia, the client automatically down¬ 
grades to 40-bit encryption. 


Holding Private Keys 

Exchange holds users’ private keys in an 
encrypted password file (with .epf exten¬ 
sion) on a PC.You must keep this file in 
a directory that’s accessible regardless of 
the PC the user logs on from. You may 
need to update your logon scripts so that 
password files follow users around. 
Exchange encrypts the password file as 
shown in Screen 5, using a secret algo¬ 
rithm based on a password provided 
when a client enables advanced security. 
The key information is meaningless to 
human beings. 

The first time a user attempts a secure 
operation during a client session, the user 
must complete the dialogue box shown in 
Screen 6. Note the check box to control 
whether Exchange prompts for a pass¬ 
word for each operation or for each 
session. If this file is lost or unavailable, a 
user cannot encrypt, decrypt, or digitally 
sign messages. 

Obviously, setting up and administer¬ 
ing advanced security requires some 
effort. You must authorise users and issue 
credentials. Individually enabling 
hundreds of users can be time-consuming; 
fortunately, the SIMPORT utility can 
help you issue many temporary security 
credentials at once. However, temporary 
credentials don’t give users access to 
Exchange advanced security; they merely 


make the beginning of the process easier. 
Users must complete the process with the 
Set up advanced security option on an 
Exchange or Outlook client. Eventually, 
the CA issues the necessary certificates, 
and your users can encrypt away. 

After the CA issues security certificates, 
managing them is largely automatic. Each 
certificate has an expiration date, and when 
the date approaches, the system prompts 
the user to contact the KM Server for an 
update, as shown in Screen 7. 

Management tasks include ensuring 
that the KM Server service starts up each 
time the server reboots, revoking certifi¬ 
cates from users whose access you want to 
deny, and reissuing certificates for people 
who have lost their certificates. 
Recovering keys is one of the KM 
Server’s critical functions - without this 
function, users can lose their .epf files or 
forget their passwords and be unable to 
read any encrypted mail. If a user loses or 
can’t remember a password, the KM 
Server restores the keys, letting the user 
get back to work. 

This workload isn’t very time- 
consuming, and you can perform most of 
the tasks through the Exchange adminis¬ 
tration utility.You can appoint someone to 
act as the security administrator for the 
organisation so that users have one contact 
for all security issues. 
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Working Offline 

Working offline is one of the greatest 
benefits of using Exchange. As a frequent 
traveller, I create, read, and answer messages 
on my notebook PC in airport lounges 
throughout the world. The ease and power 
of Exchange’s offline capabilities simplify 
these tasks. If you’ve deployed advanced 
security, you can even encrypt and decrypt 
messages offline because you can down¬ 
load the X.509 certificate information 
(and other directory information) into the 
offline address book (OAB). 

The OAB is a set of five files stored in 
the Windows directory. When you down¬ 
load details from the Exchange directory, 
you can choose to include details about 
recipients, as Screen 8 shows; the extra 
details include the X.509 certificates. 
Downloading full details takes a little extra 
time, but it’s the only way to handle 
encrypted messages. OAB information is 
static, and you need to download a new 
OAB every week or so to update certifi¬ 
cate information. 


Person-to-Person 
Key Exchange 

Person-to-Person Key Exchange (PPKE) 
is new in Exchange 5.0. This feature lets 
people send a certificate containing their 
public keys to users in another Exchange 
organisation, as shown in Screen 9. After 
organisations exchange keys, they can 
exchange encrypted messages. Users can 
hold the key information in a personal 
address book (PAB), but keeping it there 
renders it static data. If a certificate is 
revoked or altered, Exchange does not 
automatically replicate the change to 
PABs; mail encryption stops. 

Third-Party Security 
Products for Exchange 

Exchange’s advanced security features 
provide all the protection most users need. 
However, some users require even better 
security, and that’s where third-party secu¬ 
rity extensions can help. People usually 
use third-party extensions to get two 
kinds of security features: algorithms that 
are harder to break and the ability to 
exchange key information with people 
who don’t use Exchange. 



As I noted earlier, Exchange supports 
40-bit, 56-bit, and 64-bit encryption 
algorithms. However, because of US 
government restrictions, the 40-bit algo¬ 
rithm is the only one available to some¬ 
one like me, who doesn’t live in the US 
or Canada. I’d like my mail to be as 
secure as anyone else’s; however, data 
encrypted with a 40-bit key can be 
decrypted with less effort than you 
might imagine. The basic rule of encryp¬ 
tion is that the longer a key is, the harder 
it is to break. Until Microsoft opts to 
exploit its new license to use 128-bit 
encryption inside Exchange, anyone 
outside the US or Canada who wants 
highly secure mail must look beyond 
Exchange advanced security. 

Third-party security products belong 
to one of two camps: products that depend 
on a CA similar to the one Exchange uses 
and products that use public and private 
key pairs and rely on personal administra¬ 
tion and distribution of the keys. The best- 
known example of the second approach is 
Pretty Good Privacy (PGP).The CA style 
provides the basis for almost all SSL and 
other Web-based security today, because 
managing security is easier when you have 
a central point of reference. Personally 
distributing keys is difficult to manage in a 
large-scale or distributed enterprise, and 
the system relies heavily on user coopera¬ 
tion and knowledge. 

More and more products appear in 
this space all the time, and notable recent 
arrivals include MailSecure for Exchange 
(Baltimore Technologies) and Secure 
Messenger for Exchange (Deming 
Software). Both products are plug-ins to 
the Exchange or Outlook MAPI clients 
and add security options to the client 
menus. Both products use the Secure 
MIME (S/MIME) protocol to send 
encrypted messages between users of any 
mail system that supports S/MIME. Of 
course, any public and private key scheme 
works only when users make their public 
keys available to their intended corre¬ 
spondents, so both MailSecure and Secure 
Messenger can generate and distribute 
keys, much like the PPKE feature in 
Exchange. The combination of S/MIME 
support and the ability to distribute keys 


makes these keys well-suited for a hetero¬ 
geneous messaging environment or for 
implementing advanced security between 
two Exchange organisations. 

MailSecure is especially interesting for 
installations outside the US because the 
encryption algorithms did not originate in 
the US, and therefore, the US government 
cannot restrict them. Instead of the 40-bit 
algorithm Exchange currently offers, 
MailSecure uses a 128-bit algorithm, which 
provides a huge increase in security. A CA 
is available for MailSecure (UniCERT). 
The CA is an important component of a 
secure mail system, so its availability is an 
important plus for MailSecure. 

These products aren’t the only offer¬ 
ings on the market. Entrust Technologies’ 
Entrust/Express extension for both 
Exchange and Outlook clients is in beta 
testing. A browse through the Exchange 
mailing list reveals a number of PGP 
extensions for Exchange. Most of these 
extensions are shareware or freeware, but 
commercial products based on PGP are 
also appearing. □ 


Contact Information 


Secure Messenger 

Deming Software 

Web: http://www.deming.com 

MailSecure and UniCERT 

Baltimore Technologies • email: info@baltimore.ie 
Web: http://www.baltimore.ie 

Entrust/Express 

Entrust Technologies 

Web: http://www.entrust.com/express.htm 
_ 
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I guess you can say that I’ve always questioned authority. 
When I hear, “Don’t do that,” my usual response is, “Why? 
What would happen if I did ?” Although my questioning 
nature sometimes frustrated my teachers (and perhaps 
contributed to a few gray hairs), such rebelliousness has its 
virtues. Questioning authority - in this case, Microsoft - 
has helped me discover new levels of system performance 
for Windows NT. 


Mutiny on the MS Bounty 

I never heeded Microsoft’s decree that NT is a completely 
self-optimising operating system, one that users don’t need 
to tweak to achieve maximum performance. “Just add more 
expensive hardware,” said Microsoft, “and the promised land 
of faster performance will be yours.” Bah! I knew there must 
be ways to improve NT’s performance with my existing 
equipment. Remembering the significant performance 
increases I achieved by tweaking other Microsoft operating 
systems, I doubted that Microsoft’s developers made NT so 
different that they removed every possibility for the user to 
enhance performance. I realised that I could no longer be a 
mild-mannered, obedient NT user; this job clearly required 
a Registry pirate. With this mindset, I donned my eye patch 
and sword (and Registry editor), and set sail for uncharted 
NT performance. In this article, I’ll log the results of my 


RFORMANCE 



Pirate's Rule #1: Default Setting 
Equal Milquetoast Performance 

The first thing any good NT performance 
pirate needs to know is that default settings 
are usually not ideal. The good news about 
default settings is that they work for most 
users. The bad news is that they don’t give 
everyone the best performance for a 
particular situation or application. After all, 
how can a system be truly self-optimising 
if it doesn’t know how you’re using it? Are 
your applications disk bound, compute 
bound, or both? Does the amount of phys¬ 
ical RAM you have far exceed your typi¬ 
cal working set (the amount of memory a 
process uses or allocates), or are you 
running close to the edge? Do you want 
the highest priority to go to foreground or 
background tasks, or do you want execu¬ 
tion spread evenly among all tasks? The 
answers to these questions significantly 
affect NT’s performance. Furthermore, if 
you haven’t explicitly told NT how you 
want the system configured, NT is auto¬ 
matically answering these questions for 
you. If you’re like me, you’ll want more 
involvement in the decision-making 
process. 

Pirate's Rule #2:The Best Buried 
Treasure Is in the Registry 

Several Registry modifications play an 


important role in optimising NT. After you 
understand these buried gems, you can 
significandy alter your system’s perfor¬ 
mance. Some changes can substantially 
boost your system’s overall speed, but inap¬ 
propriate changes can decrease perfor- 
mance.Therefore, as I discuss each Registry 
modification, I’ll provide enough informa¬ 
tion to help you make intelligent decisions 
about each change and determine which 
changes are appropriate for your situation. 
You need to be proficient in using NT’s 
Registry editors (REGEDT32.EXE and 
REGEDIT.EXE) and always be prepared 
for disaster, which leads us to Pirate’s Rule 
#3. 

Pirate's Rule #3: Smart Pirates 
Make Backups 

Any modification to the system Registry, 
no matter how well documented or well 
intentioned, always involves a certain 
degree of risk. Any of the Registry modi¬ 
fications I discuss in this article can poten¬ 
tially damage your NT installation or make 
it unbootable. Therefore, you need a full 
system backup and an updated copy of the 
Emergency Repair Disk (use RDISK /S so 
that you get the SAM and SECURITY 
Registry hives in addition to the usual 
information that the RDISK utility backs 
up) before you make any changes to the 


TABLE 1: 

Server Service Configurations and Related Registry Values 


Server Configuration Setting 

Minimize Memory Used 

Balance (cache and working sets have equal prio 

Maximize Throughput for File Sharing 
(the cache has a higher priority) 

Maximize Throughput for Network Applications 
(the working sets have higher priority) 

TABLE 2: 

Volume and Default Cluster Sizes 


LargeSystemCache Value Size Value 


Volume Size 

512MB or less 
513MB to 1024METTTGB) 
1025MB to 2048MB (2GB) 
or greater 


Default Cluster Size 

512 bytes 
1024 bytesJlJsB) 
2048 bytes (2KB) 
4096- bytes (4KBT' 


Registry. I recommend that you make an 
additional copy of the Registry using the 
REG-BACK.EXE utility from the 
Microsoft Windows NT Workstation Resource 
Kit or Microsoft Windows NT Server Resource 
Kit CD-ROMs. If your boot partition is a 
FAT volume accessible via an MS-DOS 
boot disk and the Registry becomes 
corrupt or damaged, you can replace the 
damaged version in the %SYSTEM- 
ROOT%\SYSTEM32\CONFIG folder 
with the uncompressed copy. 

You can also restore a damaged 
Registry by using the option to “Press 
spacebar now to invoke Hardware Profile/ 
Last Known Good menu” during NT’s 
boot process, or by using NT Setup’s 
option to “Repair a damaged Windows 
NT installation” (which uses the informa¬ 
tion stored on the Emergency Repair Disk 
to restore the system Registry). However, 
the ultimate method of performing 
Registry backups and restores is to use a 
utility designed specifically for that 
purpose, such as the ConfigSafe NT utility 
from imagine LAN. This handy utility lets 
you make multiple backups of your system 
Registry and dynamically restore your 
choice of versions if a problem occurs. One 
final utility toolkit to consider is the set of 
NT tools available at the NT Internals Web 
site (http://www.ntinternals.com and 
http://www.winternals.com). The 
NTRecover utility is handy for doing 
dead-system recovery when your system 
won’t boot at all; another handy utility is 
NTFrob, which gives you an amazing level 
of control over just about every aspect of 
NT’s file cache. 

Pirate's Rule #4: The Proof Is in 
the Benchmark 

One final rule to keep in mind: do not 
conclude that a change is effective or 
worthwhile until you’ve proved it with a 
benchmark. To determine the effect of a 
particular change, use a benchmarking util¬ 
ity to gain both before and after pictures of 
system performance. Also, remember to 
make only one change at a time; then, 
reboot the system and test. Otherwise, you 
won’t be able to pinpoint the source of a 
performance improvement or degradation. 
One utility that I recommend is BAPCo’s 
SYSmark for Windows NT 4.0 is a real- 
world application benchmark utility. 
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Configuring file 
system cache 
priority on the 
Services tab of 
Control Panel's 
Network applet 


Identification Seivices | Protocols | Adapters | Bindings | 
Network Seivices: 


HTfxl 


S Computer Browser 
S Microsoft DNS Server 
IS Microsoft Internet Information Server 
8 NetBIOS Interface 
a Network MonitorTools and Agent 
S NeKRay Driver 2.50 
§ Remote Console Server 
a RPC Configuration 
a Server 


Optimization: 

Minimize Memory Used 


Maximize Throughputfor File Sharing 
C Maximize Throughput for Network Applications 


51x1 


P Make Browser Broadcasts to LAN Manager Zx Clients 


Jtzi 


Rather than measuring raw throughput for 
I/O subsystems, this utility measures the 
performance of several business applica¬ 
tions, such as Microsoft’s Word, Excel, and 
PowerPoint. (For more information about 
this benchmark utility, visit the BAPCo 
Web site.) 

First Stop: The Paging File 

Let’s begin our voyage by examining one 
of the most important contributing factors 
to an NT system’s overall performance: the 
disk subsystem. NT heavily uses the paging 
file to swap program code and data from 
memory to disk and back. NT’s use of the 
paging file is significant even on systems 
with large amounts of installed memory. 
Don’t fall into the trap of believing that 
just because your system has lots of avail¬ 
able RAM, the paging file goes unused. It 
doesn’t. Although use of the paging file 
will certainly decrease, NT will continue 
to use the paging file to swap system code, 
user code, and data between memory and 
disk. Therefore, how well NT performs 
paging on a system is extremely important. 
Even systems with fast CPUs and lots of 
memory will suffer from a non-optimised 
paging file. 

The steps for increasing paging file 
performance are simple but effective. First, 
in the Virtual Memory box on the 


Performance tab of the System applet in 
Control Panel, click Change to display the 
paging file configuration window. Set the 
initial and maximum sizes of the paging 
file to the same value. Matching these sizes 
reduces the inevitable and performance- 
hampering file fragmentation that occurs 
to a dynamically resizable paging file (one 
with a different initial and maximum size) 
as the system grows and shrinks the file. 
The maximum value needs to be large 
enough to easily accommodate the largest 
memory footprint your system will 
achieve; you definitely don’t want your 
system running out of paging-file space in 
mid-operation. To get a sense of the maxi¬ 
mum memory usage on your system, load 
all the applications you typically run, 
launch NT Task Manager, and check the 
Peak Commit Charge value on the 
Performance tab. 

Next, spread the paging file across as 
many physical disks as possible, rather than 
placing it on one disk. This approach 
distributes the load across multiple inde¬ 
pendent drives and improves paging file 
performance. To further maximise paging 
file performance, place the paging file on a 
dedicated disk partition (preferably a sepa¬ 
rate physical disk) and set the initial and 
maximum paging file sizes to the size of 
the partition. This setup eliminates the 


problem of paging file fragmentation and 
optimises paging performance. However, 
you need to format the volume as FAT and 
not NTFS, for two reasons: FAT is signifi¬ 
cantly faster than NTFS on smaller (under 
2GB) volumes, and the NTFS file system 
places a second copy of the MFT (Master 
File Table) in the middle of your hard disk. 
This placement breaks your paging file 
into two pieces and prevents it from occu¬ 
pying one contiguous block of disk space. 
Finally, to enhance performance even 
further, place your dedicated paging file on 
a stripe set volume made up of two or 
more equally sized partitions on separate 
physical disks. Ideally, choose SCSI drives 
because SCSI is typically much faster for 
multidrive volumes such as stripe sets, 
mirror sets, and stripe sets with parity. 
You’ll be amazed at the performance 
differences you achieve during paging file 
access with this setup compared with plac¬ 
ing the paging file on a volume containing 
the NT operating system or applications. 
The performance increase is especially 
significant on NT systems that experience 
a high amount of paging file usage. 
However, if you have limited disk resources 
and you must share the disk that contains 
the paging file with other data, be sure to 
place the paging file on the least busy disk 
in your system. 

Stop Paging the Executive 

NT doesn’t limit paging activity to only 
user applications and data: NT may page 
out portions of itself to disk during system 
operation. On systems with sufficient 
RAM (at least 16MB more than the aver¬ 
age total working set of the system, includ¬ 
ing the operating system, user applications, 
and data), disabling NT’s ability to page the 
Windows NT Executive to disk can 
enhance performance. To force this behav¬ 
iour, you need to find the following 
Registry key: HKEY_LOCAL_ 

MACHINE\SYSTEM\CurrentControlS 
et\Control\Session ManagerXMemory 
Management. The DisablePagingExecutive 
value tells NT whether it can page system 
drivers and code to disk when they’re not 
in use. The default value is 0 (allow 
paging); if you change the value to 1, all 
drivers and the NT kernel remain in RAM 
at all times. If you make this change, be sure 
your system has plenty of available 
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memory after you load the system and user 
applications; otherwise, application perfor¬ 
mance will suffer. On systems with plenty 
of RAM, this change reduces NT’s paging 
operations and helps improve perfor- 

Cashing In on Cache Priorities 

Another useful disk-related performance 
tweak relates to NT’s prioritisation of the 
file system cache. NT constandy juggles 
memory used for the file system cache and 
memory used for running processes 
(services and applications). On NT Server 
computers, you can change this prioritisa¬ 
tion by editing the properties of the Server 
service on the Services tab in Control 
Panel’s Network applet. 

Screen 1 shows the Server configura¬ 
tion dialogue box. Depending on the 
Optimisation setting, NT either minimises 
the memory used for the file cache 
(Minimise Memory Used), balances the 
distribution of memory between the cache 
and the running processes (Balance), 
favours the use of memory for the system 
file cache (Maximise Throughput for File 
Sharing), or favours the use of memory for 
applications (Maximise Throughput for 
Network Applications). In a future article, 
I’ll detail the effects these settings have on 
the system and look at another problem 
concerning this entry. 

Although this procedure works fine for 
NT Server, what about NT Workstation? If 
you attempt to configure the Server service 
on an NT Workstation, you get a message 
that you cannot configure the service. 
Should you accept this statement? Heck, 
no! You can configure NT Workstation 
with the same entries as NT Server; 
however, you must manually edit the 
Registry. The following Registry values 
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control the file system cache prioritisation: 
LargeSystemCache in HKEY_LOCAL_ 
MACHINE\SYSTEM\CurrentControl 
Set\Control\SessionManager\Memory 
Management and Size inHKEY_LOCAL_ 
MACHINE\SYSTEM\CurrentControlS 
et\Services\LanManServer\Parameters. 

Microsoft’s documentation states that 
configuring the Server service affects only 
the LargeSystemCache value. However, 
examining the Registry during Server 
configuration reveals that both values 
change. Table 1 summarises Server config¬ 
uration options and the corresponding 
LargeSystemCache and Size values. The 
default values are the settings for the 
Minimise Memory Used option, which 
minimises the memory NT allocates to the 
system cache and the working set of 
processes. 

If you have plenty of RAM on your 
system and want to realise significant 
increases in disk performance, try changing 
the Registry values to the settings for the 
Balance or Maximise Throughput for File 
Sharing options. The Balance option 
balances memory usage between the file 
system cache and the process working sets, 
but it uses a larger file system cache than 
the cache it uses with the default setting. 
Maximise Throughput for File Sharing 
prioritises the cache over the working set 
of processes; consequently, it may not be 
the best setting for workstations. 

On some systems, I’ve seen disk perfor¬ 
mance increase from 5 per cent to 50 per 
cent after making one of these changes. 
However, you’ll need to experiment with 
different LargeSystemCache and Size 
values and benchmark results before and 
after the change to find the best settings for 
your system. In most cases, you’ll find that 
the Balance settings give the best overall 
performance. 

On NT systems with insufficient 
amounts of free physical memory, setting 
LargeSystemCache to a non-zero value 
usually increases paging file activity 
because memory usage is prioritised in 
favour of the system cache rather than 
system processes. If applications need ad¬ 
ditional memory, the extra memory usually 
comes from the paging file. The resulting 
increase in paging file activity typically 


reduces overall system performance. 

Turbocharging NTFS 

If you’re using NTFS on your system, 
several changes can help you increase the 
file system’s speed. The first and most basic 
setting is one that NTFS chooses automat¬ 
ically when you format a new NTFS parti¬ 
tion: the volume’s cluster size (NTFS allo¬ 
cates disk storage in units known as clus¬ 
ters). Typically, NTFS selects the volume’s 
cluster size (measured in bytes) from a list 
of defaults that relate to the volume’s total 
capacity. Table 2 fists the default cluster 
sizes for ranges of volume size. 

Usually, the default cluster size provides 
good performance; however, reformatting 
the volume with a different cluster size can 
enhance performance in some environ¬ 
ments. Unfortunately, to change cluster 
size, you must back up the entire volume 
to tape (or to another volume), reformat 
the volume with the new cluster size, and 
then restore the data. You can use NT’s 
Disk Administrator utility, as shown in 
Screen 2, or use the FORMAT command 
from the NT command prompt to specify 
the cluster size when you format NTFS 
volumes. The syntax for the FORMAT 
command is 

FORMAT <drive>: /FS:NTFS 

/A:<size> 

where drive is the drive letter of the drive 
to format, and size is the cluster size to use 
on the new volume (512, 1024, 2048, 
4096,8192,16K, 32K, or 64K).This setting 
overrides the default cluster size. (At cluster 
sizes above 4096, NTFS does not support 
some features, such as NTFS compression 
and virus checking.) A third method for 
specifying cluster size is to double-click 
My Computer on the desktop, right-click 
the volume, and select Format. When the 
Format dialog box appears, simply change 
Allocation Unit Size to a value from the 
drop-down fist. 

Changing a volume’s cluster size may 
be appropriate depending on the type of 
files on the volume. For example, a volume 
with a large number of small files may 
perform better with a small cluster size, 
whereas a volume with a few very large 
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files may perform better with a large clus¬ 
ter size. Be sure to benchmark each cluster 
size scenario with lengthy file I/O opera¬ 
tions, using files of different sizes if possible 
(Bench32 lets you test disks with files 
from 1MB to 20MB in size). If you exper¬ 
iment with different cluster sizes, start 
small: move up or down one cluster size at 
a time and then retest. Once you find the 
cluster size that yields the best performance 
for the average file size to be stored on the 
volume, you can restore the data to the 
volume. 

NTFS is a sophisticated file system, and 
features such as the extended attributes that 
NTFS files use to support NT permissions 
increase overhead to your system. Certain 
default NTFS behaviours can unnecessarily 
reduce your system’s performance. One 
such behaviour is the automatic generation 
of 8.3 DOS-style filenames for all files 
stored on NTFS volumes. Because NTFS 
must generate an 8.3-style name for each 
new file created on the volume, write oper¬ 
ations with such names take longer than 
write operations that use only long file¬ 
names. If your network doesn’t include any 
DOS or Windows 3.x clients, you can 
disable this automatic feature. In 
the Registry, change the value of 
NtfsDisable8dot3NameCreation to 1 in 
HKEY_LOCAL_MACHINE\SYSTEM 
\CurrentControlSet\Control\FileSystem. 

Several points are important to keep in 



mind about this procedure. First, be sure 
that your network does not now contain 
(and will not contain in the future) any 
systems that use DOS, Windows 3.x, or 
Windows for Workgroups 3.x. These 
systems cannot use NTFS files without 
8.3-style names. Second, be aware that 
changing this Registry value affects only 
future files stored on the volume. Existing 
files retain their 8.3 version names until 
you remove the files from the volume. If 
you want to start with a clean slate, set the 
Registry value to 1, move all the files to 
another volume or tape, and then move 
them back to the original volume. 

As long as we’re in HKEY_LOCAL_ 
MACHINE\SYSTEM\CurrentControlS 
et\Control\FileSystem, I’ll point out 
another file system-related setting that can 
improve NTFS performance. The Ntfs 
DisableLastAccessUpdate entry controls 
whether NTFS updates the LastAccess 
time/date stamp on directories as NTFS 
traverses the directory structure. Disabling 
updates can also reduce NTFS overhead, 
without significantly impairing function¬ 
ality. The default value is 0 (NTFS updates 
directory time/date stamps); change the 
value to I to disable updates. If you don’t 
see the NtfsDisableLastAccessUpdate 
entry, you can manually add it as a 
REG_DWORD type with value 1. 
However, if you add this entry, be very 
careful to spell the name correctly, 


including capitalisation. 

Here’s one last item on disk perfor¬ 
mance optimisation: whenever possible, 
keep the amount of free space on a physi¬ 
cal disk at 40 per cent or more. When the 
amount of free space drops below 40 
percent, the disk takes significantly more 
time to find free space to write data. 
Although you can mitigate this effect by 
regularly using a disk defragmentation tool 
(e.g., Executive Software’s Diskeeper or 
Symantec’s SpeedDisk utility in Norton 
Utilities for Windows NT), you’ll still 
experience a significant performance hit 
on a crowded disk. 

X Marks the Spot 

As with all system-tuning modifications, I 
highly recommend that you first try the 
modifications I’ve described in this article 
on non-production machines before you 
change your network servers and work¬ 
stations. Occasionally, you may find 
hidden ramifications that affect particular 
applications. By testing the modifications 
first, you reduce the possibility of any 
unpleasant surprises. Finally, remember to 
benchmark system performance before 
and after each system modification so that 
you can quantify the performance effects 
of each change. You might also want to 
consider doing each benchmark twice or 
(even better) doing the tests on two 
different systems. This tactic gives you a 
more objective test and helps reduce the 
possibility that some software or hardware 
peculiarity will interfere with the accu¬ 
racy of your tests. □ 
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Eugenio 

Beaufrand 



Microsoft's managing director for the South Pacific Region 


I n a world filled with consumer desktops, corporate 
workstations and enterprise servers, not to mention 
thin clients, Microsoft is firmly holding onto its strat¬ 
egy of having Windows NT everywhere. 

“In a couple of years Windows NT will become our 
core system,” says Eugenio Beaufrand, Microsoft’s new 
managing director for the South Pacific Region. With 
Windows 95 and the upcoming Windows 98 due to fall 
prey to a consumer version of Windows NT, Beaufrand 
believes that NT will become easier for everyone to use. 

“We’ll be incorporating things such as natural lan¬ 
guage and the ability to do vision so it (a PC) can see you 
move and recognise whose in front of it,” he said. 
However, Beaufrand couldn’t name a date for when NT 
will actually incorporate these technologies. 

According to Beaufrand, the scope for IT develop¬ 
ment is limitless. “The growth of computing power will 
continue to obey, if not defy, Moore’s law. We can definite¬ 
ly count on a lot of horsepower to be there. The other fac¬ 
tor that is interesting to consider is the fact that the PC, and 
computers in general, continue to be looked at as dumb 
machines. There’s a lot of work that we still need to do so 
that computers can be broadly used by a bigger audience.” 

Yet the concept ofWindows NT being everywhere 
will come at a cost to both NT’s competitors and thin 
clients. While Beaufrand is enthusiastic about Microsoft’s 
work on Hydra, its upcoming thin-client technology, even 
he admitted that he wouldn’t use a dumb terminal him¬ 
self. “If I was in data entry, then I would. If my fife doesn’t 
depend on it, then never.” 

Furthermore, he doesn’t believe that more than a 
minor percentage of a corporation’s staff will use it. “I 
don’t think a company is going to go 100% into Hydra,” 
he says. “The number of users inside corporations that are 
estimated to move into a network computer type model 
are very few.” 

The other issue facing Microsoft is its emergence as a 
monopoly, what with Unix, Novell and IBM’s OS/2 fac¬ 
ing falling market share. 

“We are already outstripping Novell on a large scale 
with new licenses,” Beaufrand says. “They’ve lost a lot of 
market share and they’re going to have a very difficult time 
regaining the position of leadership they once had.” He 
also doesn’t hold much hope for OS/2. “There’s no room 
for a niche operating system,” he says, “they won’t be able 


to fund research and development. I don’t think OS/2 is 
going anywhere.” 

On the Unix front Beaufrand believes that, unless 
something dramatic happens, it too will eventually lose 
out to NT. “When you look at Unix shipments in what 
used to be the workstation Unix market, those shipments 
are declining for all vendors. I think NT has done, and will 
continue to do, a really good job challenging the worksta¬ 
tion space and has also done really good work in taking 
over the space of Unix in the mid-size market.” 

It’s this decline in other companies market share that 
has prompted industry watchers to believe Microsoft will 
create a software monopoly, with James Clark, Netscape’s 
chairman, even quoted by Business Week as saying that 
Microsoft is fundamentally evil. “I think it’s a stupid thing 
to say,” Beaufrand retorts. “I think Microsoft, as a compa¬ 
ny, has relied on partners and the success of partners more 
than any other company.” 

“We have some people complaining,” he acknowl¬ 
edges. “But all over the world there is a set of companies 
such as Sun, Oracle and IBM and if you look at the oper¬ 
ating systems, it’s a proprietary environment.” 

However, Beaufrand doesn’t deny that Microsoft may 
monopolise the operating system market. “I don’t know,” 
he says. “Not by definition but it’s a bit like what hap¬ 
pened with Beta and VHS. The industry would benefit 
from having only one format to focus their resources on.” 

This argument sounds a lot like the one presented by 
Sun when promoting its Java language. However, 
Beaufrand doesn’t see it as being a serious competitor. 
“Conceptually the Java Virtual Machine is a direct threat 
to our environment, by definition,” he says. “The concept 
of the Java Virtual Machine is nothing new, I mean, it’s 
been around for years. However, I think that with time it 
has been proven that with advancing technology, and with 
the different platforms advancing in different directions, 
it’s very difficult to hold the industry down to a single 
common denominator approach.” 

Nor does Beaufrand hold much faith in the NC, the 
main hardware platform for the Java Virtual Machine. “I 
personally don’t believe (the NC) will solve anything,” he 
says, adding that it will be less reliable than NT and will 
fail to deliver compatibility. “I mean, each NC is different. 
Java applications that run on one won’t run on another. It’s 
a scam.” 
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publishing 


will Windows NT kill 


An overview of NT’s 
move into this volatile environment 

| by DAN KAUFMAN [ 


F ive years ago the publishing industry didn’t have a 
choice of computing platform. They either used the 
Macintosh or they used nothing at all. Two yean ago 
there was a choice - Windows 3.1 - but only a minor¬ 
ity of people designed on it. It still wasn’t as friendly to use as the 
Macintosh, nor was it as reliable. But times change. 

The catalyst for this has been Windows NT, which even 
John Scully, Apple’s former CEO, claimed that Apple 
should move to. In an age where the only thing 
keeping Apple afloat is Microsoft’s recent 
investment in it, it seems that Apple’s 
dominance in the publishing market is 
seriously under threat. Last year 
Steve Vamos head of Apple Asia also 
admitted in an exclusive Publishing 
Essentials interview that Windows NT was 
the future and that even Apple should be consid¬ 
ering this O/S. 

The reason is simple - not only does Windows NT now 
dde an interface arguably as intuitive and easy to use as 
of the Mac OS’s, it’s finally as powerful and stable - with 
a lower price tag to boot. While a high-end Windows NT 
graphics workstation would cost around $9,500, which takes 
into account the cost of a powerful graphics board, several hard 
disks and duel 300MHz Pentium Pro processor plus a 20-inch 











monitor, a similarly configured Macintosh 
would cost around $14,000. 

Furthermore, the industry isn’t the 
same as it was five years ago, where paper, 
ink and film were the main ingredients. 
Now, for example, Internet publishing is 
becoming widespread, with Windows NT 
largely being used for its easy Internet 
connectivity, networking capabilities and 
stability, allowing it to run 24 hours day, 
seven days a week. 

Yet even in traditional paper-and-ink 
publishing, Windows NT is rapidly 
making inroads. For one thing, it’s now 
becoming more common for Windows 
NT to be used as the backend server, with 
designers’ and Macs connected up to it. 
“When it comes to workgroup manage¬ 
ment, Windows is picking up quickly,” 
says Harry Kongogiannis, Agfa’s applica¬ 
tions manager. “We now have a solution 
where you can have a Windows NT 
machine that acts not only as an image 
server, but acts as a RIP (Raster Image 


Processing) for an imagesetter as well. It 
also acts as the central point where we do 
any image cataloguing databasing, and also 
is a preview station.” 

In the design area Windows NT has 
been the most sluggish, with most designers 
still using the Macintosh platform.Yet as the 
technology that surrounds Windows NT 
improves and adapts more to the publishing 
environment, even this will change. 

hardware 

One of the key reasons for this is that the 
hardware behind Windows NT is now 
powerful enough to rival that of the 
Macintosh and other platforms and is 
increasing on a dramatic scale on the 
graphics front. First on the bandwagon was 
Intel’s MMX technology, which is 
designed to make graphics and multimedia 
run faster and is already supported by 
companies such as Macromedia and 


Adobe. Intel states that from now on, all its 
new chips will feature MMX, whilst most 
workstations today already have it. 

The second new graphics technology 
from Intel has just been released, which is 
a new graphics chipset called the 440LX 
AGP (Advanced Graphics Port). This is a 
new motherboard architecture that’s 
designed to speed up 3D image processing 
and is targeted at Intel’s Pentium II chips. 
It will also support the Ultra DMA inter¬ 
face, which allows for faster storage 
throughput. 

However, Intel isn’t the only kid on 
the block. Standing on the sidelines is 
Digital’s Alpha processor, which offers 
considerably higher performance with 
processor speeds of up to 600MHz avail¬ 
able. While mainstream design packages 
are yet to make use of the Alpha proces¬ 
sor, some of the most powerful RIPs 
available, such as those by Harlequin and 
Agfa, run on the Alpha with Windows 
NT as the operating system. 

Another important factor has been 
Windows NT’s ability to use SMP (simul¬ 
taneous multiple processing), which means 
that several processors can be used at the 
same time. This allows high-powered 
packages, such as video editing packages 
and RIPs, to work better on Windows NT 
than on the Macintosh, which can’t 
support multiple processors - at least not 
yet. At the moment, a typical Pentium II 
workstation can support up to two proces¬ 
sors while Pentium Pro’s can support four, 
although a new Pentium II chip has just 
been released that support up to four. 
Systems that use these will be available 
towards the end of this year. 

Windows NT 

While Microsoft previously ignored 
publishing as far as Windows NT 
is concerned, focusing more on the 
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corporate networking market, it is now 
changing its strategy with a vengeance. 
The next version of Windows NT, 
namely 5.0, will be key in this move, with 
Terry Clancy, Microsoft’s BackOffice 
marketing manager, declaring “it’s going 
to become the most popular platform for 
publishing”. 

There are several reasons why 
Microsoft believes this, but high amongst 
them is the fact that it has just licensed 
Linotype-Hell’s LinoColor colour match¬ 
ing technology, which it will incorporate 
into the operating system itself. This is the 
same technology that Apple licensed two 
years ago for the Macintosh OS, which 
Apple then called ColorSync 2.0. 
According to Microsoft the Linotype-Hell 
colour transformation engine will be the 
default colour-management module in its 
Image Colour Management (ICM) 2.0 
API, which will work for both Windows 
NT and Windows 95. However, Microsoft 
conceded the possibility that ICM 3.0 
may be slipped into Windows NT 5.0 
instead, depending on beta feedback. 

Furthermore, Windows NT 5.0 
promises to support multiple monitors, 
making animation and video editing pack¬ 
ages work better. While there are already 
packages available for Windows NT that 
work in this area, such as those by Avid, 
having multiple-monitor support built 
into the OS will push Windows NT more 
into the highend of the market. 

Another feature ofWindows NT is its 
font support, which Clancy claims is supe¬ 
rior to other products, as “it can hold an 
essentially unlimited number of fonts”. 

Microsoft also believes that Windows 
NT’s networking capabilities will push it 
further into publishing. “It’s highly feasible 
that the prepress people will be using 
Windows NT on their systems and so 
there’s more leverage to be gained there if 
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you’re using the same operating system,” 
Clancy says. “It means you can leverage the 
wide area network capabilities of NT, such 
as point to point tunnelling, to quickly and 
efficiently get your files to prepress.” 

Windows NT’s networking features 
also mean that it integrates better in a 
mixed environment than other platforms, 
making it a better choice as a storage 
server. In digital printing, where large 
format printers are now replacing tradi¬ 
tional methods, this has allowed Windows 
NT to be right at the forefront. 


“Windows NT allows you to work 
with bigger files more effectively,” says 
Peter Leihn, Hewlett Packard’s market 
development manager for peripherals. “It 
can move large files around easier.” 

Jim DeLoen, market development 
manager for Hewlett Packard’s 
Information Storage Group, also points 
out that there is more storage solutions 
available for Windows NT than for the 
Macintosh. “Most companies don’t 
provide in-the-box solutions for the 
Macintosh,” he says. Typical long-term 













storage solutions include MO (Magneto 
Optical) juke-boxes, CD ROM juke¬ 
boxes as well as tape drives and RAID 
disk systems. 

Last but not least, companies are finally 
addressing the problem of printer drivers 
by creating their own, which in turn will 
boost Windows NT’s progress into the 
digital printing arena. For example, 
Hewlett Packard has finally created 
Windows NT 4.0 printer drivers for its 
large format printers. “Up until now we 
relied on Microsoft to provide the 
drivers,” Lane says. However, Windows 
NT 3.51 users still have to rely on 
Microsoft drivers. 


software 

It’s an old cliche that the hardware you 
have means nothing if there’s no software 
to support it, and the same applies to oper¬ 
ating systems. In the publishing market, 
where the majority of designers rely on 
products from Quark and Adobe, it’s espe¬ 
cially important that their software is avail¬ 
able on NT - and during the last year both 
companies, in addition to others, have 
done 
exactly that. 


Notable amongst these is Quark’s 
announcement of QuarkXPress 4.0, 
which will be released on the Windows 95 
and NT platforms at the same time as the 
Macintosh version. Unlike the previous 
Windows version of Quark, this will be a 
full 32-bit version and promises to work as 
well as the Macintosh version. 

Adobe and Macromedia are already 
shipping their packages on the NT plat¬ 
form and typically make up to fifty per 
cent of their sales from it. When you 
consider the fact that both these compa¬ 
nies come from purely Macintosh envi¬ 
ronments, it’s telling to say the least. 

“In total terms it’s about 50 -55 per 
cent Windows,” says Sein Chew, 
Macromedia’s marketing director, about 
sales of Macromedia’s products. Whilst 
adding that he doesn’t believe the 
Macintosh will go away just yet, he does 
believe that Windows NT will continue to 
eat into the Macintosh market. “The trend 
is towards that way,” he says. “I can’t see 
anything slowing it down at this stage.” 

Adobe posted similar figures, with 
Windows software accounting for 51 per 
cent of all its sales. “That was the first time 
that Windows revenue exceeded Mac 
revenue,” stated Ludmilla Fedorovitch, 
marketing manager at Adobe. 

Another company whose clientele is 
making the move from being Macintosh- 
based to Windows NT is Avid, a company 


that specialises in graphics and video 
animation packages such as its MCXpress 
packages, which deals with digital editing 
and finishing. 

“MCXpress is expected to sell 75 per 
cent of its products on the NT plaform,” 
claims Suzanne Burmeister, business 
manager at Avid. According to 
Burmeister, this is largely due to cost, 
although a large Windows NT user base 
was another reason. 

internet publishing 

Of all the publishing areas, however, the 
one where Windows NT is making the 
most inroads in is Internet publishing. 
While many web page designers still work 
off the Macintosh, the actual compilation 
and storage of web sites is invariably 
housed on Windows and Unix boxes. 

“It’s very rare that you will come across 
people having an actual Mac web server,” 
says Kevin Page, a web page consultant at 
The AdType Group. “They’re not that 
stable and they haven’t got a lot of room 
behind them, especially if you do database 
integration, as an NT box would have.” 

Yet Unix is rapidly losing its market 
share as far as Internet servers are 
concerned, largely due to their complexity. 

According to Chris O’Hanlon, 
creative director of Spike Wireless, cost is 
the major factor. While both Unix and 
Windows NT servers offer similar levels 
of price and performance, a Windows NT 
server will cost considerably less. 
However, actual web page design is also 
largely done on Windows rather than the 
Macintosh. For example, one of the most 
popular web creation packages, Sausage 
Software’s Hot Dog, is only available on 
the Windows platform. 

“You’d be mad to do it on a Mac,” says 
Robert Cummings, development manager 
at Sausage Software, which incidentally is 
an Australian company. “You just don’t 
have the software to do it.” While admit¬ 
ting that there are Macintosh development 
utilities available, he says that they are not 
as flexible or good as the ones on 
Windows, and that the Windows market 
is larger than the Macintosh one as far as 
web development is concerned. □ 
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Oracle for NT 


ith its 53 per cent share of 
the market, Oracle is the 
worldwide leader in rela¬ 
tional database manage¬ 
ment systems (RDBMSs). Microsoft’s 
SQL Server is more widely used in the 
Windows NT market - not surprising, 
because SQL Server is part of BackOffice 
and Microsoft gives away five-license 
developer versions of SQL Server with 
the enterprise editions ofVisual Studio 97 
and Visual Basic 5.0. But Oracle7 for 
Windows NT is gaining fast. Oracle’s Web 
site devotes a subsection (http://www 
.oracle.com/NT) to NT, where, among 
other things, you can order Oracle on an 
NT CD-ROM, as 50,000 others have 
before you. The CD-ROM includes 
evaluation versions of a variety of Oracle 
NT products, including the Oracle7 
Workgroup Server. 

Although the new Oracle7 products 
are easy to install, many users are discov¬ 
ering that Oracle isn’t as easy to use as 
SQL Server. A reasonably savvy user with 
some Microsoft Access experience can 
export Access databases or create new 
SQL Server databases without taking any 
formal SQL Server training (although I 
don’t recommend doing so). 

Don’t expect the same level of install- 
and-go simplicity with Oracle, even with 


the Oracle7 Workgroup Server. Oracle has 
spent considerable time making sure that 
Oracle is consistent across platforms. This 
consistency means that NT users face the 
same hundreds of tuning parameters that 
database administrators (DBAs) face on 
other platforms. In other words, you 
probably can’t be a weekend-warrior-style 
Oracle DBA. Good Oracle DBAs 
command a lot of respect - and a lot of 
money. If you need to manage an Oracle 
database, plan to get some training. One 
obvious avenue for training is Oracle 
Education (02 9900 1000 or http://www. 
oracle.com.au/education/indexhtml), 
which offers an array of choices that 
include training by instructors, via satel¬ 
lite, on the Web, and through computer- 
based tutorials. 

I’ve been gathering reader questions 
and monitoring Oracle discussion lists and 
newsgroups, and I have assembled a list of 
commonly asked questions about using 
Oracle with NT. Some deal with installa¬ 
tion, some with tuning, some with general 
product information. Consider this article 
a starting point for discussion about 
Oracle and NT, and feel free to submit 
more questions to me directly or to the 
SQL Server section athttp://www.winnt- 
mag.com/forums. If readers demonstrate 
enough interest, perhaps Windows NT 


Magazine will set up an Oracle forum on 
its Web site. 

Q: How should I organise my NT accounts 
to work with Oracle? 

A: A useful approach is to create an NT 
user account called ORACLE to install 
and administer all databases; grant NT 
Administrator privileges to this account. 
Create a local NT group called 
ORAadmin, for example, into which you 
add the ORACLE account and the 
personal accounts of any NT users who 
will be administering the NT databases. 
Use the ORAadmin group to assign NT 
file permissions for all Oracle-related files. 

An alternative to setting up a local 
Oracle DBAs group (which can be quite 
restrictive and cumbersome for user 
account management) is to create a global 
group called OraGlobalAdmin. This way, 
members can administer Oracle databases 
across trusted domains without needing 
to replicate the individual user accounts 
from domain to domain. 

Q : Besides password and privilege manage¬ 
ment, what else should I worry about 
when I create a new user? 

A: Make sure to explicitly define a user’s 
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default tablespace and temporary table- 
space (both are the SYSTEM tablespace by 
default) to avoid filling up the SYSTEM 
tablespace (in SQL Server, you don’t want 
people storing data in the Master database). 
Tablespace is Oracle’s term to describe the 
set of files that store Oracle data. 
Tablespaces can contain many entities, 
including tables, indexes, and clusters. 
Clusters let you tell Oracle to store related 
tables close together. 

Also consider assigning profiles to 
enforce resource limits — to prevent 
runaway queries, for example. To assign 
profiles, you need to include a 
RESOURCE_LIMIT=TRUE statement 
in the database instance’s initialisation para¬ 
meter file. You can set resource limits for 
connect time, idle time, the number of 
sessions, and so forth. 

Q: How can I keep track of logon attempts? 

A: Oracle supports auditing of logon 
attempts, database actions, or specific data¬ 
base objects (such as salary tables).The first 
step in enabling auditing is to run Oracle’s 
CATAUDIT.SQL script (found in 
ORANT/RDBMS73/ADMIN, with 
scores of other useful scripts). Run the 
script as the user SYS, and set the 
AUDIT_TRAIL parameter in INIT.ORA. 
Oracle keeps configuration parameters in 
INIT.ORA. You’ll need to create your 
parameters, probably by modifying a copy 
of the sample template file because that 
method is generally easier than creating 
configuration parameters from scratch. As 
Screen 1 shows, the sample template file is 
INITORCL.ORA, which you can find in 
the ORANT/DATABASE directory. 
AUDIT_TRAIL=DB stores audit infor¬ 
mation in the database; AUDIT_ 
TRAIL=OS stores it as an NT file. To 
enable logon auditing, execute the SQL 
command AUDIT SESSION. 

Q: How do I load SQL data into my Oracle 
database? 

A: Use SQL*Loader. It is similar to SQL 
Server’s bulk copy program (bcp); both let 
you load data from fixed- or variable- 
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length files into Oracle tables. 

Q: What database block size should I use? 

A: Oracle recommends that your database 
block size match or be multiples of your 
operating system block size.You can make 
your database block size smaller-down to 
a minimum of 4096 bytes under NT 3.x 
or 4.x-but the performance cost is signifi¬ 
cant. Your choice will depend on the type 
of application you’re running. If you have 
lots of small transactions, as you do with 
OLTP, use a small block size. With fewer 
but larger transactions, such as in a deci¬ 
sion support system (DSS) application, use 
a large block size. 

Q: What are packages? 

A: A package is a set of related proce¬ 
dures, functions, and other PL/SQL code 
that’s stored in an Oracle database and that 
client applications can invoke. You (as 
SYS) can find out which packages are 
available for a given database, by issuing 
the SQL statement J 

SELECT objed_name FROM 
sys.dba_objects WHERE 
objectjype = PACKAGE' 

To get a fist of almost 1500 objects 
(including tables, views, indexes, packages, 
procedures, triggers, and synonyms), issue 
the command 

SELECT * FROM sys.dba_objects 

Q: What is SQL*Net? 

A: SQL*NET is Oracle’s client/server 
middleware product that offers transparent 
connection from client tools to the data¬ 
base or from one database to another. 
SQL*Net works across multiple network 
protocols and operating systems, but it is 
implemented as a threaded NT service 
under NT. The easiest way to configure 
SQL*Net is to run the interactive 
SQL*Net Easy Configuration utility that is 
automatically installed with SQL*Net 2.3 
or higher. Both SQL*Net Easy 
Configuration and the more powerful 
Oracle Network Manager utility generate 
a set of configuration files that they distrib¬ 


ute to network modes. Each time you add a 
new SQL*Net client to the network, you 
must load the appropriate set of configura¬ 
tion files onto the client. This process can 
be tedious in large, dynamic networks 
where nodes are relocated. Consequendy, 
Oracle has come up with a distributed 
service (Oracle Names) for resolving 
Oracle service names and aliases. Oracle 
Names is part of SQL*Net 2.1 and above. 
If you expect lots of users to access your 
Oracle database, Oracle Names can help 
you: think of it as providing the same sort 
of service for databases as your address 
book does for your email program. 

Establishing connectivity to a specific 
database also requires adding (either manu¬ 
ally or with the SQL*Net Easy 
Configuration utility) entries with site- 
specific network information into the 
TNSNAMES.ORA and LISTENER.ORA 
files.TNSNAMES.ORA is a client config¬ 
uration file on the server that lets a server 
connect to additional servers. TNS 
(Transparent Network Substrate) is j 
-Oracle’s networking architecture. TNS 
provides a uniform application interface 
that lets network applications access 
the underlying network protocols transpar- 
endy. TNS consists of three software 
components: TNS-based applications, 
Oracle Protocol Adapters, and networking 
software such as TCP/IP. LISTENER.ORA 
is another server-based configuration file 
that defines information, such as port 
number, protocols, and timeout settings, 
that the listener service uses to connect to 
a server. 

Q: What is a quick way to change my login 
to SYS in SQL*Plus? 

A: The undocumented command is 

ALTER SESSION SET 
CURRENT_SCHEMA = SYS 

Q: How can I monitor and kill dead 
connections? 

A: You can detect and kill dead connec¬ 
tions with SQL*NET if you specify the 
SQLNET.EXPIRE_TIME=n parameter 
in your SQLNET.ORA file. This parame- 










■ Screen 1: 

Viewing Oracle's starter INIT.ORA file, INITORCL.ORA 



Preparing to load one of 0racle7 Server's many 
scripts into Oracle's SQL Worksheet 


ter instructs SQL*Net to send a probe 
through the network to the client every n 
minutes; if the client doesn’t respond, 
SQL*NET will kill the connection. 

Q: Why am I having trouble connecting to 
Oracle with Open Database 
Connectivity (ODBC)? 

A: Ah, this problem is nasty. First, remem¬ 
ber that ODBC drivers can be 16-bit and 
32-bit and have both client- and server- 
side pieces-and that the drivers are both 
what I call first-generation drivers and 
newer ones. You can download a free first- 
generation 16-bit driver from Oracle’s Web 
site. This driver offers ODBC Level One 
compliance (e.g., with no scrolling cursor 
support) and is reportedly the same 16-bit 
driver that Visigenic Software wrote and 
Microsoft has distributed. Microsoft, 
however, has now taken the ODBC Oracle 
driver initiative inhouse and distributes a 
newer 32-bit version in tools such as Visual 
Studio 97. You can also purchase Oracle 
ODBC drivers from vendors such as 
Visigenic, Intersolv, and OpenLink 
Software. Note that some third-party 
multitier ODBC drivers let you avoid 
installing SQL*Net on the client by using 
the underlying network protocol (e.g. 
TCP/IP). 


Q:I changed NLS_DATE_FORMAT 
from DD-MON-YY and to DD- 
MON-YYYY in INIT.ORA, but some 



users are still seeing the DD-MON-YY 
format. Why doesn’t Oracle display 
dates consistently? 

A: You also need to change the date on the 
clients) in the ORACLE.INI, ORACLE 
section of the client’s WIN. INI or Registry 
settings, as appropriate. 

Q:I keep getting SNAPSHOT TOO 
OLD error messages when I try to run 
my application. I don’t have any snap¬ 
shots. What’s going on? 

A: SNAPSHOT TOO OLD is a confhsing 
error message, because it makes you think 
about Oracle’s read-only copies of all or 
parts of a table (or a join) that you typically 
use in a remote site. In case you’re not 
familiar with Oracle’s SNAPSHOTS, 
here’s the basic SQL syntax: 

CREATE SNAPSHOT <snapshot_name> 
[STORAGE <storage parameters>] 
[TABLESPACE <tablespace_name>] 
[REFRESH[FAST\COMPLETE\ 
FORCE][START WITH <start date> 
NEXT <next date>] 

AS 

<your_query> 

The Oracle DBMS-SNAPSHOT package 
lets you update snapshots manually using a 
REFRESH procedure call in this format: 

SNAPSHOT.REFRESH(snapshot_ 

name.refresh_<type>) 


where the values F,C, and ? execute fast, 
complete, and default updates, respectively. 
You can issue SQL statements from the 
SQL worksheet (similar to SQL Server’s 
Interactive SQL- isql), as Screen 2 shows; 
from SQL*Plus; or from the command- 
fine Server Manager. 

However, the SNAPSHOT error 
message is related to rollback segments, a 
physical data structure within a table- 
space. Oracle uses the structure to store 
transaction data in case you need to roll 
back a transaction. Obviously, you must 
define rollback segments to be large 
enough to accommodate the largest 
transactions that any transaction will 
generate, but the Oracle engine handles 
rollback segments dynamically. A SNAP¬ 
SHOT TOO OLD error means that 
something went wrong, and the rollback 
segment information is no longer avail¬ 
able (i.e., another transaction overwrote 
it, generally because the transaction ran 
extremely long). Once Oracle receives a 
COMMIT, it copies the transaction 
information to the redo log. (SQL Server, 
unlike Oracle, doesn’t have separate roll¬ 
back segments and redo logs, only a single 
transaction log.) 

To avoid the problem, you can 

• increase the size of your rollback 
segments and rollback extents 

• specifically assign a large rollback 
segment to a user or session you know 
will generate a long-running transaction 
(e.g. SET TRANSACTION USE 
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ROLLBACK SEGMENT reallybigone) 

• try to break up long transactions into 
shorter ones 

• take advantage of multiple CPUs or 
Oracle’s parallel query option 

• use the truncate command, which doesn’t 
use rollback segments, for large-scale 
deletions 

Q: How do I use the Parallel Query Option 
(PQO)? 

A: Oracle’s PQO is available for Oracle7 
Universal Server for NT, but not for the 
Workgroup Server for NT.You use PQO 
primarily for data warehousing and other 
decision-support applications (as opposed 
to OnLine Transaction Processing 
-OLTP- applications); PQO lets you 
parallelise sorts, table scans, and loads; use 
bitmapped indexes; and so on. Once 
you’ve altered INIT.ORA to support 
PQO, you need to let Oracle know which 
tables and indexes you want to parallelise 
support for. Use syntax similar to this: 

ALTER TABLE tablename PARALLEL 
(DEGREE <n>) 

You can monitor parallel query execution 
by issuing the command 

SELECT * FROM sys.v_$pq_systat 

One useful rule of thumb is to set 
INIT.ORA’sPARALLEL_MAX_SEKVE 
RS parameter to 2 for each installed 
CPU. The focus of this parameter is in 
scanning tables that use one server 
(thread) for n pieces of the table. If the 
table spans more than one disk, adding 
server (threads) will speed table scans. A 
disk-limited system won’t benefit from 
adding parallel server scans. 

Q: Does Oracle have anything like SQL 
Server’s STATISTICS IO? 

A: Yes, you can run Oracle’s UTLB 
STAT.SQL and UTLESTAT.SQL scripts 
to report information about Oracle’s file 
I/O, library cache (shared SQL and PL/ 
SQL areas), latch usage, rollback statistics, 
and much, much more. After setting 
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Oracle’s TIMED_STATISTICS to 
TRUE, you can run the scripts as user 
SYS from SQL*Plus or Enterprise 
Manager’s SQL Worksheet or after 
connecting as INTERNAL in Server 
Manager. The scripts create temporary 
objects in the SYSTEM tablespace with 
names like STATS$BEGIN_ FILE and 
STATS$END_STATS. So-called X$ 
tables, or tables with a dollar sign in them, 
are Oracle-maintained pseudotables; you' 
can list them by selecting from 
V$FIXED_VIEW. Objects with names 
starting with V$ (e.g., the crucial 
VfSYSTAT object for system statistics) 
are Oracle’s dynamic views; DBAs use 
them widely to tune Oracle. 

Q:I have a CD-ROM that has 
Limited production written on it. What 
does that mean? 

A: The CD-ROM is a late beta version of 
a product that eager Oracle customers pay 
for. 

Q: What is Optimal Flexible Architecture 
(OFA)? 

A: Cary Millsap and the Oracle 
Performance Group developed OFA in 
1995 as a blueprint for administering and 
managing Oracle databases. OFA has 
become a standard in the UNIX world, as 
a way to help DBAs and consultants go to 
new sites that have adopted the OFA 
approach to filenames, locations, and so 
on. Although parts of the OFA document 
are UNIX specific and don’t readily map 
to NT (/etc directories, for example), I 


recommend that anyone new to the 
Oracle DBA world read and become 
familiar with it. NT DBAs can adopt at 
least some of the non-OS related recom¬ 
mendations - those that apply to table- 
spaces and object fragmentation, for 
example - and adapt some of the more 
OS-specific advice related to installation, 
account and file system management, and 
so on.You can download the OFA docu¬ 
ment as a .PDF file from the ODP site at 
http://tiburon.us.oracle.com. 

Q:Some sources recommend installing the 
starter database and using it as the basis 
for my database so that I won’t need to 
hassle with setting parameters and 
running SQL DDL scripts. Others say 
that using the starter database is crazy. 
Who’s right? 

A: Probably the only people who should 
opt for the starter database as a model are 
absolute beginners or people who want a 
quick-and-dirty database for a work¬ 
group application. The starter database 
has several important limitations (any of 
which you can change, of course, by 
reconfiguring the database - changing 
parameters, locations, and so on). The 
most important limitation is that the 
database is created in NO 
ARCHIVELOG mode, which means 
that you can’t perform a restore if you 
need to. You can remedy that situation 
through Server Manager.You see its DOS 
icon in the SQL Enterprise group, or you 
can run SVRMGR23 directly. Log in to 
the database by choosing CONNECT, 
INTERNAL from Server Manager, as 









Screen 3 shows. You then start the data¬ 
base by choosing STARTUP, EXCLU¬ 
SIVE, MOUNT and enter the command 
ALTER DATABASE ARCHIVELOG. 
You’ll need to set the log_archive_start 
parameter to true in your database’s 
instance initialisation file, so that the 
archiver process, ARCH, can start. 

Other potentially risky defaults in 
the starter database are the result of its 
being a small test database. The SYSTEM 
tablespace, for example is only 5MB, and 
the rollback, temporary, and user table- 
spaces are only 2MB. Remember that 
Oracle has sized the starter database for 
development or workgroup use. 
Specifically, three size considerations 
make the starter database inadequate for 
larger databases: the starter database’s 
parameters for the shared global area 
(SGA-a shared memory structure that 
includes data block buffers that function 
as a cache, a shared SQL area for storing 
parsed SQL statements, and a data dictio¬ 
nary cache) and its rollback and tempo¬ 
rary segment spaces. 

Note that the SGA is a cache, so you 
assume that it is resident in real memory. 
If the SGA is larger than real memory, 
NT might be forced to page, and paging 
to the same drive as the database can 
affect performance. So make sure you 
know which NT settings you have for 
real and virtual memory when you assign 
Oracle’s SGA. The more real memory 
you can install, the better - your work 
will always benefit from increasing your 
SGA shared pool and database block 
buffer sizes. 

Integrated Systems Consulting 
Group’s Brian Guza made an excellent 
presentation (“Administer the Oracle7 
Server for Windows NT”) at an US 
Oracle Conference (ECO 97) in April, 
and you can download the paper from 
http://www. iscg.com/techgood.htm. 
The six-page .PDF file describes a nine- 
step procedure for setting up an Oracle 
database from scratch instead of using the 
starter database and offers some NT- 
specific modifications to OFA. ARIS’s 
Mike Curtis, a systems engineer with a 
decade of Oracle experience, made 


another presentation, “Oracle Architec¬ 
ture and NT,” which can be downloaded 
from http:// www.aris.com or http:// 
www.ioug.org. 

Q:Are there any Oracle discussion lists? 

A: Yes, but none that are NT specific. 
Kapur Business Systems (KBS) maintains 
my favourite site (http://kbs.net).To join 
the list, send a SUBSCRIBE ORACLE- 
L yourname message to LIST 
SERV@DBINFO.COM. If you or your 
organisation has purchased Oracle 
support (call 02 9900 1707 for informa¬ 
tion about Gold, Silver, Bronze, Basic, or 
Standard support levels), you can access 
Oracle’s premier support site on 
CompuServe (GO ORASUPP). One 
useful download in ORASUPP’s MISC 
section is a utility (ORASAFE.EXE) that 
automatically shuts down your Oracle 
database when you reboot the server. 
(Otherwise, Oracle issues an implicit 
SHUTDOWN ABORT, an inelegant 
solution resulting in automatic instance 
recovery when you restart the database.) 
You can also find several Oracle news- 
groups at comp.databases.oracle (.server, 
.misc, .market, and .tools sections), and 
you can find excellent resources at 
Oracle’s Developer Programme (ODP) 
site. Membership in the ODP is well 
worth its $595 per year cost. Another of 
my favourite Oracle Web sites is the 
Underground Oracle FAQ (http://www. 
onwe.co.za/frank/faq.htm) .which 
contains much more than just frequently 
asked questions. 

Q:How serious is Oracle about its NT 
platform? The company won’t get the 
profit margins in NT that it gets in 
UNIX sales. 

A: Oracle is very serious about NT. The 
company has been shipping Oracle7 on 
NT since December 1993 (the 
Workgroup Server for NT has been avail¬ 
able since September 1994). NT is now 
an Oracle Tier One platform, putting it 
on a par with Solaris and other key 
UNIX platforms for new product releases 


(the number of Sun Microsystems’ Solaris 
and NT beta sites for Oracle8 were 
reportedly almost equal). Oracle also has 
hundreds of programmers and support 
staff assigned to the NT Technology 
Centre, which is part of Oracle’s 
Worldwide Alliances and Technologies 
unit; an NT sales force about 150 strong 
under the leadership of Shari Simon; and 
an NT centre of excellence group in the 
Oracle Consulting Services Division. And 
don’t forget the NT section on the 
Oracle Web site. 

Wrapping it up 

One Oracle Q&A column hardly does 
justice to the issues surrounding setting up 
and maintaining an Oracle database on 
NT. The bottom line, especially for devel¬ 
opers who are used to working with 
Access or SQL Server databases, is to not 
take Oracle DBA tasks lightly. Richard 
Headley, US vice president of Platinum 
Technology, a company that provides a 
variety of DBA utilities, says he’s seen too 
many one-off databases that novices have 
designed without paying enough attention 
to sizing and capacity planning and sched¬ 
uled backups and reorgs, not to mention 
basic database design. “Denormalisation is 
one thing,” Headley says. “Sheer ignorance 
is another.” In other words, if you’re going 
to use Oracle on NT, plan to spend some 
time learning your craft. □ 
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Client-Side Image Maps 
Variable Table Columns and Rows 

Position the width of columns and the height of rot_ 

Extensive Multimedia Plug-In Support ! 



Clarisworiis 
Office s.o 

The smartest all-in-one software 
for business, education and l 



creating World Wide Web documents) and enhanc 
database reporting, it has the power to manage demanding 
computing tasks and new time-saving automation features. The newest version of this full- 
e, graphics and slide show software adds mo 
el lent performance. Only ClarisWorks Office 
*s platforms. It sports full 32-bit design, Wi 

support, and long-format file nai 


he ExpressStyle feature redefines the stylesheet 

‘ ^ J ~ ‘ agraphs, but also c 1 ' 


Orderline 1300 360 799 





































The suite that brings the world to your desktop! 


All Welcome! 


SmartSuite 97 delivers a complete set of up-to-date, 32-bit applications specifically designed 
to take advantage of Windows 95 and Windows NT. Each application provides support for 
long file names, drag and drop, multitasking, and many of the other features of these 


DoeuMagix 
PaperMaster Hue XI 


Put a real file cabinet inside your PC! 




istomers love PaperMaster! 

1 - This product is grea 
the software that came 


u/c 


Lotus 


Orderline 1300 360 799 Order by fax 02 9700 8801 

Enquiries 02 9700 8800 Internet site www.software-warehouse.com.au 
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Orderline 1300 360 799 Order by fax 02 9700 8801 

Enquiries 02 9700 8800 internet site www.software-warehouse.eom.au 
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Millennium Buster 

The Millennium Bug - 
is your computer year 
2000 Compliant7 

Important for stock information, client databases, in fact just 








































INTERNATIONAL 

SOFTWARE WAREHOUSI 

VOU CAN p,NO ' T CHEAP ER CALL US - WE WON'T BE BEATEN!* 

Toolkit tor Quality Assurance 

Quality Assurance for your Business 

- ISO 9001 / ISO 9002 

TQA includes all the tools you mill need to develop a Q.A. system - just add your 
unique knomledge of your business! 

Increasingly, businesses worldwide are recognising the benefits of implementing a Quality 
Assurance system - but many others are concerned at the time and cost that can be 


1 





























for Microsoft Exchange 

For Internet A 


EVERYTHING FOR YOUR PC - DELIVERED NATIONWIDE! | 

I leom Lem Fax NT 5.0 Sewer 


Microsoft windows NT z.si and a.O 


Alcom is the leader of LAN fax server technology and industry pioneer. 

Alcorn LanFax NT 5.0 Server provides your network user with the ability to send and receive faxes from 
Microsoft Windows applications and full fax integration for Microsoft Exchange, MS Mail and other MAPI 
compatible mail systems. Alcom LanFax NT is certified for Microsoft BackOffice and rewarded with 
"Designed for BackOffice". 

Alcom LanFax NT 5.0 is a true 32-bit application and operates as a Windows NT service for maximum 
performance and security. Alcom LanFax NT 5.0 supports Windows for Workgroups 3.11, Windows 95 and 
Windows NT workstations for faxing that is as easy as printing. 

Microsoft Exchange Support 

Alcom Lanfax NT 5.0 Server includes LanFax MAPI Transport for Microsoft Exchange. With ALcom LanFax 
NT 5.0, you can send faxes from Microsoft Outlook and Microsoft Exchange using your personal or global 
address book, include any attachments and click send. The fax message is automatically converted to 
Group 3 fax and sent out by Alcom LanFax NT 5.0. 

And you can route faxes directly to your Microsoft Outlook or Exchange Inbox. The incoming faxes appear 
as an incoming message. Double click on the message and you can view your fax. Now you can use 
Exchange as your universal inbox. 

Alcom Intrafax 

Alcom LanFax NT Server 5.0 includes Alcorn's new IntraFax. Alcom IntraFax allows desktop browsers to act 
as a front-end for Alcom LanFax NT 5.0. Intrafax provides an HTML interface to Alcom LanFax NT 5.0, 
allowing you to manage your fax mailbox through web browsers such as Netscape Navigator (2.2 and 
above) and Microsoft Internet Explorer (3.0 and above). Whether you are in your office, at home or on the 
other side of the world, simply enter the web address of your Alcom LanFax NT and login to access your 
sent and received faxes. Alcom IntraFax eliminates cross-platform compatibility problems, so you can now 
send and receive faxes from Windows, Macintosh, UNIX, Sparc station or any other platform that can use a 
Web browser with HTML 3.0 support. 

S&LCOM alcooi LanFax NT 5.0 Server (10 user license) . 


Full product information at 
http://www.alcom.com 


$1,075 



Small Business 
Advantage 

A complete collection of business 
resources. 

• Legal advisor 

• Marketing plan 

n Small Business Advantagt 



Australian 

Phonedise 

The ultimate 
telephone directory 
on CD-ROM. 


Residential listings. 
gvaoo 2 Australian Phonedisc. 



loot 

sential 


When you don't 
have time to start 
from scratch 


II Essential letters 


Ml prices INCLUDE sales 



Universal 
Translator 

Translate Web pages, documents 
and E-mail in 25 languages. 


• Type in 25 languages 

• Push button translation 

• View and translate E-mail 


* Universal Translator 



$105 


The Rost 
Stone 

Award-Winning language* 
learning through pictures. 

The Rosetta Stone makes it possible to l< 
language the way you learned your first 
without translation, memorisation or sti 
rules of grammar. 


os The Rosetta Stone ... 


The 

women of 
PLAYBOY 

The women of 
Playboy multimedia 
screen saver 

dreds of sensuoi 
boy Magazine. 

kk The Women of Playboy... 



saa 


Beavis & 
Butt-Head 

Multimedia 
screen saver 

Choose from 30 wallpaper 
stills. More than 80 video clips 
from 3 seasons of MTV's Beavis 



07 Beavis & Butt-Head ... 


Sag 


The 

Seinfeld 
CD-ROM 

Includes new clips 
from the '94-'95 
season 

Nearly one hour of video clips, over 100 screen 
savers, planner and print shop. 

ova** The Seinfeld CD-ROM. S3 



Orderlme1300 360 799 










































I Packaged with Corel PHOTO- 
j PAINT 7 for photo editing and 

_' bitmap creation plus 

CorelDREAM 3D 7 for 3D modelling and 
___ tendering, the graphics suite makes optimum 
"performance a top priority by delivering faster Open/Save and 
Redraw across all applications. Increase your productivity with new 
context-sensitive property bars and a revolutionary customisable user 
interface that lets you edit icons, arrange toolbars, toolboxes and more. 


91 Corel DRAW 7.0 (Plus $100 rebate) .. 

92 Corel DRAW 7.0 U/G (v 3 or later) (Plus $100 rebate 


$379 


A comprehensive genealogy library contains B" 
over 55 million names and additional 
references. Photo-editing capabilities allow 
you to retouch old photographs, remove red eye and add 
dazzling special effects. Plus, with the programs Internet support 
ou can create and publish your family Web page. Research back 
i history with Corel Family Tree Suite, a graphically sophisticated 
and easy to use genealogy program on CD-ROM. , 

What the press is saying 
Corel's Family Tree Suite has provided me with 
l impressive looking report to show for my labours 
and enough options to keep me interested along the way. 

; is made up of three top notch Components Corel 
Family Tree, Corel Photo-Flouse, Corel Family Publisher. 

20 Corel Family Tree Suite ... 


'Call our friendly, 
knowledgeable 
sales staff " 


Orderline 1300 360 799 Order by fax 02 9700 8801 

Enquiries 02 9700 8800 internet site www.software-warehouse.eom.au 
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VTHING FOR YOUR PC - DELIVERED NATIONWIDE! 

Masterclips 
150,000 Clip art 

world's largest and best Clip art 
collection euer! 


With Masterclips 150,000 you'll find all the images you ne 
greeting cards ,web pages, multimedia presentations, signs, banners and much, n 
collection of dazzling clip art, spectacular MasterPhotos, True Type fonts, lively w 
captivating video clips. It's easy to perfect any design using MasterCiipsI 50,000! 


luch more! Choose from a premiui 


Why MasterClips is the Premium Image Collection! 


150,000 you'll get an incredible collection 
'the professional I 


;b images and video dips 
act. You'll find a variety of art that w 





MSI 


579 “ 


Or tier line 1300 360 799 ^ g g 


$139 


MSI 


mffows! 


MasterPublisher 


HUaaR pro i fa 


MasterPhotos 


50,000 station 


579 ” 
































MSI 




orderline 1300 360 799 order by fdx 02 9700 8801 

Enquiries 02 9700 8800 internet site www.software-warehouse.eom.au 


V4! 


TurboCAD 


TurboCAD i ra continues to be 
the leading value in desktop 
CAD tor the CAD hobbyist, 
home user or occasional 
professional user. 


TurboCAD ua.o 

Professional 


Floor Plan mn 
3D Deluxe 

Design your complete home, office or garden 
quickly and easily with Floor 3D Deluxe. 


Irani 





































































ViSiO 


•es* 


Order line 1300 360 799 g | 


! worn - DELiumm nationwide* 


uisio Standard 5.0 


smartest way to create 


all your business diagrams 

With Visio you can easily create any kind of business diagram - 
everything from timelines to network diagrams to office layouts. 


Diagrams for all 
business users 

Visio Standard is designed to help incr 
productivity of mainstream business u 
allowing them to easily communicate 
work projects and flow, reporting stru 
concepts or systems. Visio Standard all 
users to visualise information commonly stored 
distributed in databases and spreadsheets, thus 
avoiding complex and time-consuming analysis of data an 
figures. In addition, dynamic links between business diagrams and 
the databases and spreadsheets that hold the raw data are easily 
integrated - so an organisation chart can automatically reflect changes 
in an employee database, or a flowchart can report the costs associated 
with a new process. 

Microsoft compatible 

Visio is Microsoft compatible enabling 
jsiness diagrams. Best of all you ca 
diagrams into any OLE compliant 

package, spreadsheet or other 
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| IF YOU CAN FIND IT CHEAPER CALL US - WE WON’T BE BEATEN!* ^J„| 


windows ^ 

OJ?XI \l\M 45 MICROGRAFX 

Premier Print Stueiio 

Windows Draw 6 Premier Print Studio is the perfect 
application to accomplish print or web publishing 
projects for home and small business. It includes the 


»oi«SanTSn e °a^ advanced 
modeY.ThL can be used to create cards, 

IsllMlilr 


Simply SD2 


Outrageously easy 3D graphics and animation! 


Simply 3D2 gives any user a 
powerful 3D and animation 
product, packed full of 
functionality. 

This revolutionary new 3D and animation 
product has been designed to enable 


OrdeHine 1300 360 799 Order by fax 02 9700 8801 

Enquiries 02 9700 8800 internet site www.software-warehouse.eom.au 
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| EVERYTHING FOR YOUR PC - DELIVERED NATIONWIDE! 


it's line having a service station 

harmful viruses. And Keep your 



The sure-fire way 
to keep your PC 
up-to-date. ^ * 


m 


yinciuae^ 

virus 

Protection 

Support 1 
aesk 


l 

* 

1 

i wr 

- ^ [ 

r 



QUARTER 


i35 TuneUp Version 1.0 


Procomm Plus 32 


Whether you're cruising the Internet, sending or receiving a fax, or 
downloading a file from the office, Procomm Plus 32 has 

everything you need to communicate via your PC. Fax, Internet 
and Data functions are seamlessly integrated into one 
intuitive interface. The quickest, most reliable way to get 
the most from being connected. Procomm Plus 32 allows 
you to work at your computer the way you want to, 
moving from one activity toy the next with ease. Procomm 
lus 32 also boasts the new feature Procomm Remote which 
allows you to connect from anywhere to control your office or 
home PC files and applications as if you were sitting there. 
Remote control is also a great way to read and send e-mail, 
share applications and files between your laptop and desktop. 



The world's fio.i best selling 
communications software is the 
only complete solution to access 
all your PC communications from 


WHAT THE PRESS A 

.read all the review to appreciate the 


magnificence of the product" 

"...easy to operate, a dream to install" 

Micro Computer Mart 


• Fax Manager 

• Data Transfer 

• Connection Directory 

• Web Browser 

• Internet Mail 

• Internet News Reader 

• FTP and Telnet 

• ISDN Support 

• Aspect Script Language 


Or tier tine 1300 360 799 tn f 

9am til 6pm Monday to Friday and Warn til 3om Saturday. - 1 ^ ■** ^ * 
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EHBBBHgg 


Fast Delivery 


WO% Detection & Removal 


Massive Stocks 


All Welcome! 


A T I O 


A L 


SOFTWARE WAREHOUSE 


IF YOU CAN FIND IT CHEAPER CALL US - WE WON’T BE BEATEN!* 


Worldwide 
Anti-Virus 
Market Leader 


Supports Windows 95, 
Windows NT, 
Windows 3.0 


and DOS 

Free Updates 
fi Online 


Virus Protection From; 

• Internet Downloads 

• Floppy Disks, 

• Networks ' : 

• Macro . I ™3?e' 


8 Reason 

why 1,000's 
of buyers 


Software 


every month! 


Your Eyes Only 

Keep your files safe from prying eyes! 

The only security software you'll need 
for your laptop and on the Internet. 

The last thing you need is more work - so Your Eyes ' 

Only protects your confidential files 
automatically and transparently. It I 
prevents unauthorised users from I 
tapping into your computer files, 
but that's not all: It actually stays 
with your files, wherever they go. 

Unauthorised users can't. It's that 
simple. Unique patent-pending 
SmartLock encryption makes 
security totally automatic. Just 
designate which directories you 
Design ed tor want to secure and the 
:;,JJ files in those directories 
become automatically 

Window?95 decrypted when you open them with passwords. 


$129 


Norton For Your Eyes Only 4.0 Win 95 3.5" . 


Norton Utilities 


Over is Million users 


world Wide. 


• Automatically downloads 
software updates and patches 


$109 


Right there, right when you need it 
Norton fixes problems you wouldn't 
otherwise know were there until 
it's too late. The system Doctor 
monitors your whole system and 
automatically corrects problems 
before they affect you. 



Orderline 1300 360 799 Order by fax 02 9700 8801 

Enquiries 02 9700 8800 internet site www.software-warehouse.eom.au 
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EVERYTHING FOR YOUR PC ■ DELIVERED NATIONWIDE! 


-tillin v3 The Top Antivirus Package! 


Every major magazine that has reviewed PC-cillin has rated it the UK's top virus software for Windows 95, 3.1 
and the Internet. It is the most effective virus protection you can get - don't download without it! 


"ProledJ You 

from Viruses 

ftufomufi<°'W ! 



. Speed Surfer 

The wait is ouer...more power 



Keep your htmtiwcee in 
with Check It 
Kit 


Checklt Diagnostic Kit from Touchstone is 
the all-in-one hardware problem solver for 
Windows 3.1, 95 & DOS! 

Use Checklt Diagnostic Kit and get the most out of your Windows 
—— ■-" " ~ ‘- 1 Containing full 



us WinChecklt Diagnostic Kit . $TSS 
m WinChecklt 4.0 . Sra 


Ortietiine 1300 360 799 MR I 
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Orderline 1300 360 799 h H i 

9am til 6om Mondav to Friday and 10am til 3om Saturday. ' ™ ^ 
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The Revolutionary New Way to 
Get More Hard Drive Space 

Get 150% more space safely and easily 


$55 

. $39 


windrenaiin 


Accelerate Your Hard Drive By 


Quick view Plus 


Up TO 500% 


Orderline 1300 360 799 Order by fax 02 9700 8801 


Enquiries 02 9700 8800 internet site www.software-warehouse.eom.au Sydney^ 
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N T E R 


Jt 

I Only^S9 95 * 



FSe Scan Disinfect Info Help 

0k 

Highlight drive to scan and press Scan 


ijrjpr 

Et C MS DOS S 
\s 0: MSVC42 


■Hid 


Scan 1 Update 




I gUERVTHING FOR YOUR PC - DELIVERED NATIONWIDE! 

D B Solomon's Anti-Vims 


Now the international best selling virus protection software 
is finally available in Australia and New Zealand. Dr Soloman's 
Anti-Virus detects and destroys most viruses...automatically! 

Exclusive Dr Solomon's WinGuard scanner 
and Dr Solomon's NetGuard technology 
provide 24 hour virus protection from 
internet downloads, shared files, e-mail, 
floppies, hard disks and more. 

Features 

• Unique Technology - Dr Solomon's Anti-Virus 
employs Advanced Heuristic Analysis (AHA) and 
Advanced Macro Heuristic Analysis (AMHA) 
technology to reliably detect new and unknown 
viruses without creating false alarms. 

• Compressed File Scanning - Dr Solomon's 
Anti-Virus has the ability to scan inside more 
compression file formats than any other 
anti-virus product, and scan recursively inside 
multiple nested layers of compressed and 
archived files. 

• Online Updates - Dr Solomon's Anti-Virus' 
Automatic Protection Plan delivers a new product 
monthly with updated scanning technology and 
virus signatures to ensure comprehensive 
protection against the 300+ new viruses 
discovered every month. 

• New Interface - a new intuitive interface makes 
Dr Solomon's Anti-Virus one of the easiest ways 
to protect users from computer virus attacks. 

• Automatic Virus Removal with WinGuard - 
not only will WinGuard, Dr Solomon’s on-access 
virus scanner, protect against virus attack 24 hours 
per day, but it can automatically remove any file 
or macro virus it detects. 

• Educates with the Virus Encyclopedia. Gives 
detailed, in-depth descriptions of "In the Wild" 
viruses most commonly encountered by 
computer users. 

• Money-Back Guarantee. Dr Solomon's Software is 
so confident that it offers better virus protection 
than Norton, McAfee, IBM, PC-cillin or VET, it 
stands behind its product with a money-back 
guarantee. 

• FREE, unlimited 24-hour virus emergency support 
with one of its technical experts on the phone 
and by e-mail. 


Dr Solomon's Anti-Virus is the only anti-virus 
product available in Australia that is able to 
automatically detect and eliminate the over 
13,000+ known viruses that are out there, 
ready to attack your PC. 

With over 3 million users worldwide. 24 hour, 
7 day technical support and on-line upgrades 
for killing new viruses it's no wonder 
Dr Solomon's is trusted by over 3 million 
people worldwide. 

It's the world's most advanced, trusted and 
widely used anti-virus program. 

Computer viruses are increasing at the rate of300+ per month. 


“Kills The Most Viruses... Automatically!'’ 

Marketing and 
Distribution by: 

| hot^ VJ 


Better virus protection th 
Norton, McAfee, IBM, PC-cilli 
or your money back. 


os Dr Solomon's Anti-Virus . 


All prices INCLUDE s 


95 
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FULL-STRENGTH, 100% ANTI-VIRUS PROTECTION. 


advanced in detecting viruses 
I compressed files including 
ing the widest variety of file 


Most Viruses' 


resent the newest threat 
and they're easily shared \ 
mail. No other product de 
e Dr Solomon's. 


McAfee 


if you want the best in anti-virus 
software, demand o* Solomon's 
anti-virus! 

Marketing & Distribution by MOtIIU'J internet address: softwareehotkey.com.au 


Orderline 1300 360 799 Order by fax 02 9700 8801 11 ■SHE? 

Enquiries 02 9700 8800 internet site www.software-warehouse.eom.au s£5»» 
























Updates 


How does it work? 

1. Just click on start and Oil Change identifies all the installed 
software applications and hardware drives on your PC 
f 2. Oil Change then checks with CyberMedia's master list of ne 
updates and drivers that are currently available on the 
Internet and gives you helpful description of each update so you'll Know 
what benefit each update will provide 

' 3. A helpful description allows you to select only the updates you want. 
Oil Change downloads and safely installs your new software automatically 


EVERYTHING FOR YOUR PC ■ DELIVERED NATIONWIDE' 


0nly$49 


Fix Internet 
Connection And 
Modem Problems 
NOW! 


Change 


update vout Software 
AUTOMATICALLY Over The internet! 




New software updates and hardware drives are 
being released on the Internet every day, 
designed to fix bugs, improve performance and 
add great new features to your PC. And most of 
them are FREE! 

You can keep your PC running smoothly if only 
you could get these updates, but how do you 
make sure you have installed the updates 
properly? 

No More hours of looking and searching the 
huge mass of information that is the internet in 
the hope of finding upgrades to the software 
you allready own and have installed on your PC 
- CyberMedia's Oil Change will first identify the 
software that you have installed on your PC, 
then log onto the internet in order to check with 
the CyberMedia Internet master list of new 
updates and drivers that are currently available 
an the Internet and then give you a helpful 


description of each update 
so you'll be able to make an 
informed choice. Next Oil 
change allows you the option 
of then choosing to upgrade 
that particular software or move 
onto the next upgrade or driver 
that is available. If choosen Oil 
Change autokmatically and safely 
installs the new software. Even after 
you have downloaded the software you 
still have the opertunity of reverting 
the previous software that you were using 
because Oil Change saves a version of your 
present software before installing new 
software - One click is all you have to do and 
your computer's original setup is restored! 

It's that easy and that safe! 


DOOOO 

Kiss 

Modem 

Wizard 


o 


Here"s what Top PC mechanics are saying: 

"Could be the most significant program to hit your hard disk in many a moon" 

- Netguide 

"The most advanced on-line tune up" 

- CNET Television 

"Consider it your own personal upgrade assistant and system maintainer" 

- PC Magazine 

"Oil Change ensures your computer is running the newest software... it 
doesn't't get any easier than that." 

-Time Magazine 

"(with this) digital oil change.... you have not just software but living 
software." 

-Time Magazine 


o 


▼ 

T 

V 

y 

y 

y 


Locates new updates, patches and drivers for your PC on the intenet. 
Downloads and installs the updates you select. 

Get new plug ins for your browser. 

Tunes up your software for peak performance. 

Keeps your PC up-to-date. 

Gets you the latest and greatest enhancements for your software. 


;6 



























Order line 1300 360 799 Order by fax 02 9700 8801 

Enquiries 02 9700 8800 internet site www.software-warehouse.com.au 
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Ortiertine 1300 360 799 

9am til 6pm Monday to Friday and 10am til 3pm Saturday. “*■— ^ 
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- for Windows 


Step Remote net 

Here's why Laplink is the only choice 

Remote Control 

• Fast performance with automatic disk caching, colour d 
and bitmap filtering 


; to vour Desktop 

Designed for Windows 95 

Laplink takes advantage of the power of true 32-bit 
. computing. Its seamless integration with Windows 95 
provides support for long file names, lets you share yc 
modem with multiple applications and offers you assistance using 


One Step Access to Information 

Work efficiently from the road, home or offi< 
with LapLink for Windows 95. Other remote 
access applications require multiple connections 
to do multiple tasks but with LapLink's one 

need access to information on a Windows 3.1 
system, Laplink for Windows 95 is the smart 
choice with guaranteed connectivity to the 16- 
bit version of Laplink for Windows - included in 


Stay in touch while on the road 

When you need to access information, Laplink keeps you connected to 
your office PC or network from wherever you are - 5 feet or 5,000 miles 
away. Now you can run databases and custom applications, transfer files, 
synchronise data, remotely control a PC, read and send e-mail all with 

work, Laplink delivers the freedom to connect from everywhere. 


at 

■ 

Windows'95 


Protect against 
software crashes 


$79 


$ 99 “ 


Finds and fixes Windows problems immediately 

Have you ever installed software only to find that things that worked 
yesterday don't anymore? Now there's a tool which can resolve these 
problems - without hour long technical support phone bills! 


PC Medic 97 

Stops Croshes- 
Before They stop You! 


McAfee 
viruscan 


McAfee 






























$1099 


01 CD-Quickshare (unlimited users) 


$1799 


Orderline 1300 360 799 Order by fax 02 9700 8801 

EnauiriM 02 97oo ssoo internet site www.software’warehouse.com.au 


WUfll IT CHEAPER CALL US - WE WON'T BE BEATEN!* 

ReaehOut - Remote Access 

Reach any pc. atom Everywhere, Everyway 




m PROVEN WINNER! 

"§®HS 3 


'SKSS£K 


REACHOUri 


Pty 


CD-Quickshare 
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_I Means Faster 

r ana Simpler Networks 


Intel’s family of networking products 
utilises the Intel Architecture inherent 
in you PCs to give you more control over 


your network at less 



Each product, from a simple adaptor card to 
a Fast Ethernet hub, is designed to integrate 
seamlessly with your existing network 







ntel EtherExpress Pro/100 TX-PCI. ... $139 

ntel EtherExpress Pro/100 TX-PCI 5 pack ... $659 

ntel EtherExpress Pro/100 TX-PCI 20 pack .. $2099 

ntel EtherExpress Pro/100 TX-PCI 80 pack .. $8999 

ntel Express Stackable Hub 12 ports .... . $1869 

ntel Express Stackable Hub 24 ports. . $8870 


ntel Fast Ethernet Workgroup (lx Express 
>le12 port hub + lOxProl 00 adapters). 


Intel Express 10/100 8 Port Switch 
TX Uplink Module. 


$2750 

$2399 


Intel Pentium ana 
Motherboards 



■inos Intel Pentium 166 MMX In box with fan 2.8v ... . call 

stum Intel Pentium 200 MMX in box with fan 2.8v .... . call 

who Intel Pentium II 233 MMX In box with fan 2.8v 512k ..call 

inn Intel Pentium II 266 MMX in box with fan 2.8v 512k call 


call 

...call 



Upgrading and 
Repairing PCs 
Sixth Edition 


re. This Book Hr 



No Matter What Kind Of PC V 
The Upgrading and Repairing 

Far more than just a "repair" manual. Upgrading and Repairing PCs, Sixth 
Edition is simply the most comprehensive PC support reference available. 
Discover the best way to access your system, install hardware, and troubleshoot 
problems. Learn about the latest state-of-the-art motherboards, processors, 
memory, and disk drives. 


ok addresses all PC- 


compatible systems,' 
notebooks to towers, as well as 
Windows 95 and the new Plug 
and Play standard.lnduded with 
this invaluable reference is Ziff- 
Davis benchmarking and 
diagnostic tools - Winstone 97 
and WinBench 97. 

Completely test your system's 
performance with today's top 
software products. Compare 
relative system performance 


UPGRADING 

5* AND 

§5 REPAIRING PCs 


you purchase a 


a * 

- /. 


computer's subsystems and 
eliminate performance 
bottlenecks. 





01 Upgrading 8i Repairing PCs... 


02 Upgrading 8t Repairing PC's (Hard Cover).... 

All prices INCLUDE sales tax. 


109 


\<Msaf>\ i-Share if2.0 



No need to have a separate ISP and 
user, cuts administration expenses, and reduces memory usage 

include Eudora Light e-mail client software; Tierra Highlights 
Internet monitoring and alert software; NetCentric FaxStorm sol 
for cheaper faxing over the Internet; Forte FreeAgent ne 


LANtastic U7 



LANtastic the leader in small-business networking. 

ART018 LANtastic V7 2 User Starter Kit.. 

ART021 LANtastic V7 Single User Addon Kit. 

ART022 LANtastic V7 Single User CD_ 

ART023 LANtastic V7 Single User 3.5. 



$915 


Order line 1300 360 799 b 















































COMPRO 


Pack 


COMPRO 


COMPRO 
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$299 


cMP002Compro Super Pack 
(24x CD ROM Drive) .. 


$349 
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Sound Blaster 


BWEca value 


Netwave MX Combo Modem 


$259 


PhotoEssentials 


PC-dud Encore DXR2 


$709 
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idiot Proof 
Multi-Media 

-Just plug in and play. 

• External 12x Speed High Performance CD- ROM 

• Front Loading motorised tray, no caddy required 

• High speed reading transfer rate (sustained) 

1800KB/second using a high speed parallel port 

• High speed access random averages 10ms 

• Supports High Sierra, ISO 9660, CD-ROM XA, Photo CD & CD-Audio for 

• MSCDEX compatible includes MSCDEX 

Includes EasyMate Case, 12x CD-ROM 
and all Cables & Drivers. With bonus 
Asymmetrical Software - 
Web Publisher & Tri-Spectives 2D Eye 


$399 


rake Your Notebook 
Out Of The 
Prehistoric Era. 

The SoundMate is specifically designed to bring old Notebooks 

completely portable multimedia system includes a 12x CD-ROM 
small lightweight multimedia uni 


The Power To 
Create vour 
Own CDs 

ATAPI (E-IDE) CD 

Recordable 

6 x Read - 2 x Write 


■m 

























Order line 1300 360 799 ^ [g | 


Writable CD Recorders 


Allows users to record audio tracks directly from CD ROM, Hard 
Drive or Database using Drag and Drop on to CDR. Also enables the 
removal of crackles and hiss from studio tracks, the creation of 
layouts for booklet, inlay card and CD label, multi-session audio 
recording and on the fly audio recording. 

Music Kit (Traxaudio Pro software.lx CDR, Audio Cabling & Jack Plug) 
TRX142 Music Kit . Sirs 


a professional image. 

the perfect answer to all those 


$79 


IING FOR YOUR PC - DELIVERED NATIONWIDE! 

Traxdata 


CD Rewritable Recorders & CD 


rraxoata accessories Kits 


PressiT Custom CD Labeller 


Traxwriter CDRW2260 Starter Kit 
2x Recorder, 2x Re-write, 

6x Playback 

• Traxdata CDRW2600 drive 

• WinOnCD ToGo software 

trxi4o Traxwriter CDRW 2260 Int $1099 


Traxwriter CDRW4260 Starter Kit 
4x Recorder, 2x Re-write, 

6x Playback 

• Yamaha CDRW4600 drive 

• WinOnCD ToGo software 

er CDRW 4260 \nt$Call 


Recorders 

CDs provide the most cost effective and safe medium 
for long term storage and now with CD Recorders and 
CD-ReWritable recorders, they are the first choice solution 
for Data sharing. Distribution, Archiving, Computer Backup 
and audio Recording. 

Traxwriter now offers the latest in technology with CD-RW 
Recorders which are at the leading edge of CD technology. 
The range of internal mounting and stand-alone recorder kits 
offers a selection of write/re-write/read speed combinations, and 
a variety of specialist mastering software to suit the requirements of 
the office or home. 

TraxData's new range of CD-RW Recorders 
enable you to read, write 
and then re-write your CD's! 

The new CD-RW offers a choice of 2x or 
4x record, coupled with 2x re-write and 
6x read speed. 

Flexibility and Computability 

CD-RW recorders 
to record both 
and the 

new CD-RW media, 
depending on the 
application, ensuring 
maximum cost-effectiveness. 

Recorded CD-R discs can be read on 
standard drives (CD-ROM, CD-Recordable and 
CD-RW), as well as some DVD-ROM drives, while CD-RW discs 
can only be read on a CD-RW recorder. 


Traxwriter CDR2600 

2x Recorder 6x Playback Starter Kit 

Recorder kit includes: 

• Traxdata CDR2600 drive 

• WinOnCD ToGo software 

• 2 x Traxdata CD's 

• ProscaPen 

trxJ Traxwriter CDR 2600 Int $G69 


Traxwriter CDR4600 

4x Recorder 6x Playback Starter Kit 

Recorder kit includes: 

• Yamaha CDR2600 drive 

• WinOnCD ToGo software 

• 2 x Traxdata CD's 

• Prosca Pen 

• Cabling 

trxi47 Traxwriter CDR 4600 Int $999 
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Iomega Buz - 
Multimedia Producer 


* Get your multimedia stuff into your PC 

» Personalise it using the easiest software around 

• Share it with others using Zip or Jaz disks, VCR tape or even the Internet 


I CD-quality audio and play 



Orderline 1300 360 799 Order by fax 02 9700 8801 

Enquiries 02 9700 8800 internet site www.software-warehouse.com.au 
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THING FOR YOUR PC - DELIVERED NATIONWIDE! 


Jaz is the perfect 
choice for hard 
drive upgrades! 


affordable 
rsonal storage 
solution in one! 


1U 

|j| Iomega 


Iomega 


$679 

$509 


ZIP & 

JAZZ 

DISKS 


3x JAZ Media PC Disks_ $449 

3x JAZ Media Mac Disks .._ $449 
JAZ Traveller 


3x ZIP 100Mb PC Disks_ >7!l 

lOx ZIP 100Mb PC Disks_ $249 

3x ZIP 100Mb Mac Disks $199 
6x ZIP 100Mb PC Disks_ $149 


Mitsubishi Consumables ana Storage 
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SyJGt 1.5GB 

Bigger, Faster and Better 


OFTWflBE WAREHOUSE! 

NO IT CHEAPER CALL US - WE WON’T BE BBIIEJIf/^3 


EZPIyer 230MB 

External SCSI s Parallel Port 


Western Digital w Western 
CAVIAR Hard Drives <V. Digital 


1SyJet is designed to offer maximum performanci 
Flexibility and reliability, at tremendous 

I >yJet 1.5 GB is a high-performance removable cartridge hard dri 
I joasts the highest capacity of any product in its *'— “■ 


" - Macworld ,, 

■ in performance, the SyJet 1.5GB matches or 
‘ — *-<-•- nd offers more 




internal eide 

he world of personal computer storage is changing, fast. Files are huge and getting 
—' " • ' - u — 1 * ed hard drive is just that fixed, an 


































One cartridge fits all QIC-80, QIC-Wide and 
Travan drives. Delivers over 25% higher capacity 
than Travan equivalent. Higher capacities than 
all other media, keeps the costs per MByte to a 
minimum. Fully pre-formatted & approved by 
QIC and all drive manufacturers. 
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$ 49 “ 

$55 

Vfeibatim 



DAT amm 

DL90M 1.3GB Tape Cartridge .$15 
DL120M 4GB Tape Cartridge $32 

DAT 8mm 

DL112M 2.3GB Tape Cartridge $16 
DL160M 7GB Tape Cartridge $29 


Verbatim 




The ideal solution 
for desktop 
online archiving 

Verbatim 

vero 43 CD DataLifePlus 640 MB CD 


$S°° 


verbatim HD 


Each Verbatim diskette is individually 
certified 100% error free. All are pre¬ 
formatted to save you time. A typical 
diskette will perform an average of 30 
million revolutions- almost ten times the 
industry standard. A highly developed 
burnishing process makes for perfect contact 
between your floppy drives read head and 
the floppy, no wonder Microsoft use 
Verbatim disks exclusively for their products! 

Ten disks are included in one pack. 

vERQoi Verbatim 3.5 HD IBM disks (10 per pack). 

veroo 2 Verbatim 3.5 HD Apple disks (10 per pack)... 



\ feibatim 
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SONY. 

StorStation 

Ultra-Compact Ultra-Fast Ultra-Easy 

The Sony StorStation Tape Drive, with a capacity for up 
to 2.0GB, it's a great way to backup your hard drive. 

The StorStation lets you protect the contents of your he 
can also schedule backups, so even if you forget, the 
StorStation does not. You can also perform Backup in th 





Sony OW2CB data cartridges 

Sony QW2GB data cartridges, the reliable and versatile solution 1 
maximum of 2GB capacity, compatible with Sony Storestation an 

soNY2oSony QW 2GB data Cartridge (5 pack). 

All prices include sales tax. P 


$209 


SONY. CD-ROM 
Recorder 


Create your own CD-ROM discs or back-up/archive with yo 
Recordable CD-ROM Drive. With the Spressa, creating CD's 
Whether it's a document database, image file, multimedi. 

Bundled with the Spressa is CD Creator Mastering Softwar 
and powerful functions. The robust features of the CD Cr« 
the disc creation process, a jewel case editor for creating customised inserts, video CD i 
CD creation capabilities, CD duplication services and studio 



SONY. 

50NY22 Sony Spressa External .. 


$1209 

$969 


Sony Recordable CD media 

Sony CD-R media has a large 650MB recording capacity for digital da 
applications. 

soNV2d Sony CD-R media (10 pack dual case) 


$109 


For the east of U, 

a local call I 

Sales Lines Open 9am til 6pi 


Order line 1300 360 799 
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Stereo speaker 
system 

QS-835 Sound force 200 


StnkePad 

For IBM and compatible 


Super warrior 

lethal series 
























































Plustelr OpticPro 
as30P Flatbed 
Scanner 

The OpticPro 4830P colour Flatbed 
scanner is a feature packed product 
at a very affordable price. 

Not only does it share the specifications 
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infinity 
Scorpio 

reco infinity Scorpio - 

The last scanner you'll ever buy! 


Ateco 


R 


?*- PageScan 


| f2>- ScanMan 
LOCiTECH Colour 2000 


Colour Pro 


LQCSTEGH 


Personal document manager with flatbed 
versatility 


Create a world of great projects 
quick and easily 


PageScan Colour Advantages 

• Installs without opening your compute 


PageScan Colour includes 

PageScan Image Editor 


$279 


$199 


Logitech PageScan Colour Pro 
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MICROTEK High-Tech Scanning 


introducing "Simple SCSI" 

The E3 Scanner now ships with "simple SCSI". Simple SCSI is a special cable with a built- 
in SCSI-to-parallel converter. Your standard SCSI scanner can be plugged straight into 
your PC's parallel port - No need to install an interface card. It's pass-through, which 
means you can use both your printer and your E3 scanner off the same parallel port 
connector. 

All E3 Scanners also come with Photoimpact SE (PC) & Colorit (Mac) Editing 


All MICROTEK a 


ScanWizard for Windows 3.1. 95. NT & Mac 
OmniPage LE OCR for both Windows & Mac 
12 months warranty. 

Free phone support for 1 installation . 

Most software, drivers & manuals ar 


MICROTEK 


Scans both negatives and 
positives. 

Scans strips or mounted slides. 


licrotek 35T Plus. 



High-speed, high-resolution 

Slide Scanner ^ . 

30 Bit Colour (1 pass) 

3,900 x 1,950 DPI Optical BHfelg 

3,900 DPI Interpolated ^j lifg 

Dedicated slide scanner to get the 655 - 
best sharpness and detail from 



you what is on the scanner's flatbed s< 
select 1 or more images. You can of course simply use default 
settings and by clicking on SCAN obtain effortlessly a top quali 
be very very close to the original! 

With ScanWizard, matching the quality of your original image 
challenge, simply a starting point. Why not make the image Ic 
than the original? Based upon what you see on the screen, you can apply 
at time of scanning a host of image enhancements and filters. You may 
prefer a softer or sharper looking image. By boosting the colour 

ray want to give your pictures that "travel brochure 


« 36 Bit Colour (1 
pass) 

■ 1,200x600 DPI Optical 

• 9,600 DPI Interpolated 
» A4+Size (8.3 x 14") 

» Best optical quality. The professional 

• PC MAGAZINE Editor's Choice. 


03 ScanMaker3... 


Each time you apply a filter you can see the result on the sen 
to ScanWizard's Live Preview which shows you before and at 
This makes ScanWizard more fun, more powerful and easier 
other scanning software. 

For the advanced user, ScanWizard also includes a host of fe 
batch scanning, de-screening, exposure control, curves and le 


Transparency Media 
Adaptor 

The Transparent Media Adaptor (TMA) 
lets you scan 35 mm slides and 
photographic transparencies up to 8x10". 
Very easy-to-install (clips on; no screwsl), 
it simply replaces the ■ 


SCAN / COPY Utility 

Quick-panel let's you scan 
directly to your existing printer, 
fax card or disk file. For Windows 
3.11/95. FREE with all MICROTEK Scanners. 


Adobe Photoshop 4 

CD version.Special price if ordered wi 
MICROTEK sea 


Automatic Document 

Feeder. For unattended scanning 


imiaal 


06 TMA for MICROTEK E3 or E6. 

09 TMA for ScanMaker 3. 

os Photoshop 4 with Microtek Scanner. 

io Automatic Document Feeder E3/E6/SM3 ... 


$379 


$259 

$S99 


1/ prices INCLUDE s 
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Paper & Transparencies for Deskjet, 

Deskwriter & Paintjet XL300 

m A4 (20 sheets) .... 

102 HP Premium Glossy A4 Paper (10 sheets). $19“ 

er A4 (200 sheets. . &3a 9s 

et pack (DJ 690 only). $19“ 

fP Greeting Card Paper. . $20** 

HP ink 

Ink Cartridges - Deskjets & OfficeJet 

ctio High-Capacity Black Ink, DJ400/500 series. $39" 

in Tri-Chamber Colour Ink, 300/400/500 Series .... $aa 9s 

k. DJ/DW600 Series . .$59“ 

ns Tri-Chamber Colour Ink, DJ/DW600 Series. $44“ 

ucm Colour Inkjet Photo Cartridge (DJ 690 only). 49“ 

ck Ink. DJ1200 Series, CopyJet & DesignJet 2xx, 3xx & 650 $3S 95 
122 Black Ink, DJ 800, DJ1600 & DesignJet 700 Se 
<23 Tri-Chamber Colour DJ800 Series. .$45” 

HP Toner 

25 Microfine Toner Cartridge U 5L (EP-A) . 

le Toner LaserJet 5P, 5MP, 6P & 6MP .... $129 as 

135 HP Toner Collection Kit Colour LaserJet 5 & 5MV ... $59“ 

esforti 
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17 Roadster 56K Flex Ultra (external).. 

is Roadster 56K X2 (external). 

32 Roadster 56Kflex (internal data/fax) 
36 Roadster 33.6K (external) 
is Roadster 33.6K Ultra (external) 


CreditCard ^ 

Ethernet SB 

Adaptor 10/100 

Connect portable PCs to 100Base-TX 
Ethernet networks with this high- 
performance PC Card adaptor! 

Portable PC users can now connect to both 10Mbps Ethernet 
and 100Mbps Fast Ethernet networks with this high- 

path for over-burdened 10Mbps Ethernet networks. Now 
portable PC users who use graphics-based, network-intensive 
applications such as database access, imaging, and 
CAD/CAM, as well as the growing population of e-mail and 
internet users, can enjoy the benefits of having access to the 
increased band-width of 100Mbps Ethernet networks for 

Ready provides instant access to both 10Mbps an 



CreditCard 
Ethernet 

Adaptor 10/100.... ^2/9 


PC Card 
Ethernet + 
Modem 33.6 

The fastest performing combination P 
on the market today! Ideal for use at 
in the office and on the road 


connectivity by combining both a high-performance Ethernet 
LAN adaptor and high-speed V.34 data/fax modem in a single 
PC Card. The 33.6 Kbps data/14.4 Kbps fax modem capabilities 
high-speed 



Ethernet Combo 
(TP & BNC) + 33.6 
Modem . 


Abbm CreditCard 
. 9 Modem 33.6 


■ 


CreditCard 
Modem 33.6 

The high-performance modem that gives 
you the freedom to communicate with the 
world, anytime, anywhere! 

In the office, at home, or on the road, Xircom’s CreditCard 


Nationwide 

Delivery 
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BPaeeuta 33.6 
W Data/Fax/ voice 

5) Hayes A 


When technology changes, isn't It best to go with the industry 
standard? Experience the internet, online services, bulletin bos 
e-mail, cybershopping, faxes and professional message centre 
software. Available Windows* or Macintosh PC's. 


Optima 

Business Modem 



Internal Modem .. 
















































































































Riven: The 
Sec/uel to Myst 


RIVEN 


myst 


that mu become your world 


MYST 


RIB 


SOS 


$95 


FOR YOUR PC - DELIVERED NATIONWIDE! 

Book Encyclopedic, 

Encyclopedia y ^ 













































Resoluting name problems 


Advanced WINS Features 

Setting up push and pull 
WINS servers 


’ve written several columns that covered name 
resolution under Windows NT 3.x and 4.x. 
This month and next, I’ll cover advanced 
L aspects of Windows Internet Name Service 
(WINS) - push and pull partners, security, and WINS 
proxy servers. 

The Trouble with Names 

Windows NT and TCP/IP have a problem: names. We 
want servers to have nice, human-friendly names such 
as, in my network, Aldebaran, Rigel, Betelgeuse, and 
Elnath. (They are the brightest and second-brightest 
stars in the Orion and Taurus constellations. The bright¬ 
est are the primary domain controllers — PDCs, and the 
second-brightest are the backup domain controllers - 
BDCs.) Those names are easier to remember than IP 
addresses such as 198.34.57.44, 198.34.57.11, 

198.34.57.90, and 198.34.57.26. To satisfy both us and 
the computers, networking software converts the 
human-friendly names into IP addresses. The term for 
that conversion is name resolution, and it typically involves 
looking up the name in a database. 

Name resolution makes NT networking with 


TCP/IP particularly troublesome because NT uses dif¬ 
ferent kinds of names from other TCP/IP-based net¬ 
works. Most use names such as http://www. mmco.com, 
a Domain Name Service (DNS) name. NT’s Microsoft 
networking lineage was not very TCP/IP - and Internet- 
aware until recently. Over the years, Microsoft network¬ 
ing has used a different set of names - NetBIOS names. 
So running NT on TCP/IP presents a special challenge: 
the network must resolve DNS names and NetBIOS 
names. The NetBIOS names are more central to NT’s 
operation. As a result, NT depends on NetBIOS over 
TCP (NBT or NetBT) for NetBIOS name resolution. 

NBT name resolution occurs in NT with WINS. 
Basically, a designated NT server keeps a JET database of 
NetBIOS names and IP addresses. Workstations and 
servers refer to that WINS server to resolve names into 
IP addresses. But how does WINS gather information 
about computers on the network? Every computer that 
intends to use a given WINS server for name resolution 
registers its NetBIOS names with that WINS server. In 
a small network with one WINS server, you tell all your 
computers to refer to that WINS server. That server is 
the central repository for NetBIOS names. But what 
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One virus could wipe out 
the entire population... 



... guard against annihilation 


| Virus protection these days is a must. There are 
1 now thousands of computer viruses and more 
| appear constantly. Viruses have the potential to 
1 down your systems, cause you loss in productivity 
* and worst of all, destroy all the data on the system. 

1 Even before diagnosis, viruses can cause system 
1 crashes and difficulties with software packages. 

I Every time your users swap disks, log onto the 
I network, exchange email, or download files from 
I the Internet, they are putting their data - and 
I yours - at risk. 

Vet it first. That’s why you need the protection of 
I Australasia’s leading anti-virus software - VET. It’s a 
I small investment with the potential to save you lots. 

You’re in good company. VET is a world leader 
I in the anti-virus field. An effective, proven virus 


destroyer, VET is relied on by major banks and 
financial institutions, industrial firms and 
government departments in over 30 countries 
including the UK, USA, Malaysia and New Zealand. 

VET gives you total protection. VET protects 
against macro viruses and conventional viruses 
whether you’re using Windows 95, Windows NT, 
Windows 3.x, DOS or Novell NetWare. 

VET NT Server and VET NT Workstation give top 
level protection for NT versions 3.51 and 4.x and 
the server product features a Scheduler for 
maximum usability - set it up once and it will do 
the work for you. 

Software that’s easy to use. VET is designed 
for people, not just machines - it is easy to install 
and is totally automatic. Your staff can use their 


PCs normally while enjoying full, effective 
protection. 

VET offers automatic network installation and 
logging capabilities so you have full control of 
virus protection throughout the organisation. 

Protection that never stops. New viruses are 
constantly appearing. We work to ensure that you 
always have current protection which is 
dependable, functional and user-friendly. Each 
quarterly upgrade will provide protection for around 
500 new viruses. And more frequent upgrades are 
available any time from our web site. 

Support on your doorstep. With VET, support is 
available when and where you need it. And we’re 
based in Australia-so local support really means 
local support. Don't risk annihilation. VET it first! 


VET Anti-Virus Software Tel: 1300 364 750 

Head Office: 1601 Malvern Road Glen Iris Victoria 3146 

WWW http://www.vet.com.au Email info@vet.com.au 
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about redundancy or the situation in 
which you need a second WINS server to 
handle your enterprise network? How 
does a second WINS server share the 
information the first WINS server owns? 
In that case, you need to know about push 
and pull partners. 

When you set up a Microsoft TCP/IP 
client, NT asks for a primary and a sec¬ 
ondary WINS server address. When your 
PC boots, it goes to the primary WINS 
server and tries to register its NetBIOS 
name. If the registration is successful, your 
PC never contacts the secondary WINS 
server, unless a subsequent name resolu¬ 
tion attempt fails. 

Nobody Home 

Suppose you create a backup WINS serv¬ 
er and point all your workstations’ 
Secondary WINS Server fields to that 
backup. The primary WINS server goes 
down. Where are you? Nowhere very 
interesting. The secondary server doesn’t 
know much, because no one has regis¬ 
tered with it. So if the primary server goes 
down and everyone starts asking the sec¬ 
ondary server to resolve names, the sec¬ 
ondary server just says, “Sorry, I can’t 
answer that question.”You must convince 
the primary server to replicate to the sec¬ 
ondary server. Fortunately, an easy 
method exists: push and pull partners. 

You can configure two WINS servers 
to be push and pull partners, or you can 
let them discover each other with a 
Registry entry. In HKEY_LOCAL_ 
MACHINE\SYSTEM\CurrentControlS 
et\Services\WINS\Parameters, add a 
new entry, UseSelfFndPnrs, of type 
REG_DWORD. Set its value to 1 to 
cause the WINS server to periodically 
multicast to find other WINS servers and 
automatically replicate. This entry usually 
works for only WINS servers on the same 
subnet, because most routers don’t pass IP 
multicasts. 

Alternatively, you can introduce the 
two WINS servers. WINS database repli¬ 
cations transfer data from a push partner 
to a pull partner. For example, suppose 
you have two machines, Primary and 
Secondary. Primary gets the latest infor¬ 
mation because it is the primary WINS 

www.wmntmag.com 


server. Secondary backs up Primary’s 
information. Thus, Secondary never has 
information to offer to Primary. In that 
case, Primary pushes its database changes 
to Secondary. 

Push Me, Pull You 

In a push/pull relationship, data gets from 
Primary to Secondary in one of two ways. 
First, Secondary (the pull partner) can 
request that Primary (the push partner) 
update Secondary, telling Secondary only 
what has changed in the database. 
Alternatively, Primary can say to Second¬ 
ary, “I’ve made a lot of changes since the 

Name resolution makes 
NT networking with 
TCP/IP particularly 
troublesome because NT 
uses different kinds of 
names from other 
TCP/IP-based networks. 


last time I updated you.You should request 
an update.” The pull partner does most of 
the work initiating the replication updates. 
All the push partner does is suggest that 
the pull partner start requesting updates. 

Can you tell Secondary to be a pull 
partner with Primary, without telling 
Primary to be a push partner for Second¬ 
ary? You might think so, but if Secondary 
starts pulling from Primary, Primary will 
refuse to respond to Secondary’s pull 
request unless you’ve configured Primary 
as a push partner with Secondary. Thus, 
you need to make Secondary a pull part¬ 
ner with Primary, and make Primary a 
push partner with Secondary. 

What triggers the WINS database 
replication process? Recall that either 
partner can start the conversation. In the 
case of a push partner, you configure it to 


contact its partner and suggest a replica¬ 
tion session based on the number of data¬ 
base changes.You can tell Primary to noti¬ 
fy Secondary whenever 50 (or any num¬ 
ber greater than 19) changes have 
occurred to the WINS database on 
Primary. (You can alternatively trigger 
replication from the WINS Manager.) 

A pull partner, which doesn’t know 
how many changes have occurred, 
requests updates based on time. You con¬ 
figure a pull partner to contact its partner 
every so many minutes, hours or days. 

Less Is More 

I have more to tell you about WINS, but 
I’m out of space for this month. Before 
you experiment with extra WINS servers, 
however, I have three important pieces of 
advice. First, when it comes to WINS 
servers, less is more. Microsoft claims that 
it runs its entire worldwide enterprise 
with only 15 servers. Don’t start setting up 
WINS servers all over the place. Second, 
if you set up a WINS server, don’t put it 
on a multihomed PC (a computer with 
more than one NIC). This configuration 
has traditionally been a problem for 
WINS servers. Third, don’t set up a test 
WINS server, register a few names on it, 
have a production WINS server pull the 
names from the test server, and then shut 
off the test WINS server for good. WINS 
will refuse to delete names that it got from 
another server, no matter how old and 
expired the names are, until it can do a 
final double-check with the WINS server 
that provided the names originally. If you 
shut off the test server and never turn it 
back on, those records never go away. □ 











Inside On-Access 

Virus Scanners 



Building virus-scanning functionality 


with file system filter drivers 




s our reliance on computers has grown, so 
have the networks that connect computers. 
We typically connect computers via a LAN, 
and either directly or indirectly via the 
Internet. Although this connectivity facilitates sharing 
programs and documents, it heightens the risk of infect¬ 
ing files with annoying or destructive viruses. 
Consequently, you rarely find a Windows NT system 
that doesn’t run a virus-scanning product to check files 
for the presence of viruses and prevent them from enter¬ 
ing the system. 

This month, I’ll explore the internals of on-access 
virus scanners for NT. First, I’ll briefly describe how on- 
access virus scanners work. Next, because on-access virus 
scanners work with file system drivers to check files for 
viruses, I’ll introduce how file system drivers (FAT, 
NTFS, etc.) interact with NT through the I/O Manager. 
I’ll conclude by describing where on-access virus scan- 


:s fit ir 


3 NT. 


Virus Scanning Basics 

Virus scanners check files in one of two ways. An on- 
demand virus scanner examines every file on a disk (or 
within subdirectories that you specify) and searches for 
viruses it knows about or for signatures common to cer¬ 
tain types of viruses. You can usually trigger on-demand 
virus scanners manually, or automatically at regular 
intervals (e.g., during system boot). The drawback of on- 
demand virus detection is that files you download or 
copy onto the system can infect the computer before the 
virus scanner checks for viruses. 


On-access virus scanning is proactive. On-access virus 
scanners stop virus activation because the scanners check 
files at the time you open or execute them. Thus, if you 
download an infected Microsoft Word document to your 
hard disk, before Word can open the file, the virus scan¬ 
ner makes sure the file is clean. When the virus scanner 
detects a virus in a file, the scanner either removes the 
virus or returns an error code to the application opening 
the file to prevent the open operation from proceeding. 

Virus-scanning products for NT perform either or 
both types of virus scanning. Implementing on-demand 
virus scanning is relatively straightforward: the scanner 
opens the files and looks for signs of viruses. A Win32 
program that uses standard APIs can easily provide this 
functionality. 

Implementing an on-access virus scanner is much 
trickier. You cannot use the Win32 API to direct NT to 
check files whenever other programs (including NT) 
open or execute the files. Furthermore, scanning must be 
transparent to the applications running on the system. 
For example, Word must be able to open files in its usual 
manner. The only way to provide this functionality is to 
write a special type of device driver known as a file sys¬ 
tem filter driver. 

The I/O Manager and File Systems 

File system filter drivers hook themselves on top of file 
systems so that they can intercept requests headed toward 
the file systems. The drivers review each request and 
reject it, pass it to the file system, or change it on the way 
to the file system.The drivers can also examine the results 
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■ Figure 7: 
Win32 ReadFile 
Request Flowing 
Through NT 



(T) Original CreateFile IRPfrom I/O Manager 

(T) CreateFile 1RP propagated to file system 

(T) Virus scanner reads and checks file; if virus detected, vir 

(T) Vims scanner returns original CreateFile result, or failuri 


■ Figure 2: 
Virus Scanner 
File System 
Filter Driver 


of requests on the way back from the file 
systems. On-access virus scanners ensure 
that files are free of viruses when you open 
them, so the file system filter drivers 
process only open requests. 

To better understand this design, you 
need to understand how file systems are 
integrated with NT and how a file system 
services I/O requests (e.g., from a Win32 
program). The following description gen¬ 
erally holds true for all types of file system 
requests (e.g., create, read, write), but I’ll 
concentrate on what happens when a typ¬ 
ical Win32 program uses the ReadFile API 
to read from a file. 

Figure 1 shows the main system com¬ 
ponents involved in servicing the read 
request. NT implements the ReadFile API 
in Kernel32.dll, a standard NT component 
that’s part of the Win32 subsystem. 
Kernel32 is the library in which NT 
implements all file, process, and memory- 
management Win32 APIs. Some APIs, 
such as CreateProcess, require that the 
library send messages to the Win32 subsys¬ 
tem process to service the APIs. However, 
most APIs (including ReadFile) do not. 
Kernel32 takes the parameters passed in 
the ReadFile call and constructs a call to 
NT’s kernel-mode API. In the kernel¬ 
mode API (also known as NT’s native 
API), all the functions begin with “Nt.” 
The kernel-mode function for reading a 
file is NtReadFile. 

When Kernel32 issues a native NT API 
call, the processor switches into kernel 
mode, and the native API call enters the 
NT kernel. All native API calls enter 
through the same doorway: the kernel 
funnels requests to the kernel-mode func¬ 
tion that handles them. The kernel-mode 
NtReadFile function constructs an I/O 
request packet (IRP) and initialises it with 
all the information to describe the request 
(e.g., which file to read from, the starting 
offset and length of the read, and the buffer 
that will receive the data on successful 
completion). NtReadFile calls the I/O 
Manager to send the IRP to the file sys¬ 
tem of the drive where the file resides. For 
example, if the C drive is an NTFS drive, 
reading C:\markl causes the I/O 
Manager to call the NTFS driver. 


File systems resolve some requests 
without ever touching the disk. In the read 
example, if the data resides in the file sys¬ 
tem cache, NTFS completes the IRP 
immediately. If the cache does not contain 
the data, NTFS must create one or more 
new IRPs that instruct the hardware 
device driver managing the C drive’s hard 
disk to fetch the data from the disk. When 
the driver completes these IRPs, NTFS 
can complete the IRP that NtReadFile 
sent.When the target file system completes 
NtReadFile’s IRP, the call to ReadFile 
ends and control returns to the Win32 
program; the program can now look at the 
file data. 

Well, that’s the general idea, anyway. 
I’ve described a synchronous system, in 
which control does not return to the orig¬ 


inator of an IRP (NtReadFile or NTFS in 
the read example) until the IRP finishes. 
NT can service requests synchronously, 
but it more often services requests asyn¬ 
chronously. When a file system cannot 
process a request immediately because a 
disk driver must fetch some data, the file 
system returns a pending status for the 
request. Through an event object associat¬ 
ed with the IRP, the 1/O Manager reports 
the IRPs completion to the initiator of 
the IRP. When the caller wants to wait for 
the IRP to finish, the caller waits for the 
event object’s signal. The I/O Manager 
creates an event object in an un-signaled 
state and switches it to a signaled state 
when the IRP finishes. 

NtReadFile (from the read example) is 
by default an asynchronous API. Nt 
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ReadFile returns control to Kernel32 
whether or not the request has finished; 
Kernel32 must wait for the call’s event 
object signal. This arrangement preserves 
the design behaviour ofWin32 ReadFile, 
which is by default a synchronous API. 

File System Filter Drivers 

The I/O Manager provides a facility 
whereby a device driver can attach itself to 
another driver, letting the attaching driver 
filter the requests directed to the other 
driver. File system filter drivers are very 
popular and versatile; you can build in all 
types of functionality with them. For 
example, a file system filter driver can 
encrypt data on the way into a file system 
and decrypt it on the way out. You can 
design a file system filter driver to encrypt 
specific files or an entire disk, providing 
high levels of security. A file system filter 
driver can function as a license manager, 
which ensures that users obtain a token 
from a controller before they can open 
(and run) certain applications. Of course, 
file system filter drivers are also ideal for 
implementing on-access virus scanners. 

Figure 2 shows how a virus-scanning 
file system filter driver might intercept and 
process a request to open a file. NT uses 
CreateFile IRPs to create new files or 
open existing files. Therefore, virus scan¬ 
ners intercept CreateFile requests to 
ensure that any file being opened is free of 
viruses. Most NT virus scanners let you 
specify that only certain types of files (e.g., 
with .dll, .exe, or .doc extensions) be 
scanned. The file system filter driver first 
checks to see whether a file is on the list 
of file types to scan. If the file does not 
need to be scanned, the file system filter 
driver gets out of the way of the request, 
passing the IRP to the file system and 
ignoring the IRP’s return status. 

If the file needs to be scanned, the file 
system filter driver lets the CreateFile IRP 
continue to the file system and waits for 
the IRP to finish. If the IRPs result status 
shows that an error occurred during open¬ 
ing of the file, the virus scanner simply 
passes the status back to the I/O Manager. 
This arrangement prevents the scanner 
from doing extra work when the file being 
opened does not exist, or the user does not 


have permission to access the file in the 
way the user requested. If the file system 
determines that the file was opened suc¬ 
cessfully, the file system filter driver sends 
ReadFile IRPs to the file system to obtain 
the contents of the entire file. The scanner 
waits for the IRPs to complete before it 
continues its proprietary scanning step. 


Once a virus 
scanner identifies 
a virus, it can 
often eliminate the 


The virus scanner’s library of viruses 
and virus signatures guides the scanning 
step. A virus-scanning file system filter dri¬ 
ver will usually obtain this library from a 
Win32 program that runs as the system 
boots, or by reading the library from a file 
when the virus scanner initialises. The 
value of an on-access virus scanner is the 
comprehensiveness of its library; as long as 
the scanner works transparently, users 
don’t care how cleverly the virus scanner’s 
programmers have implemented the file 
system filter driver. 

If the scanner detects a virus in the file, 
the file system filter driver closes the file 
and returns an error to the I/O Manager. 
The default error code on many virus¬ 
scanning packages is access denied, which is 
the error code returned when you open a 
file for exclusive access and another pro¬ 
gram already has it open, or when you try 
to open a file and its security settings pre¬ 
vent you from doing so. Most NT virus 
scanners also have options to log detec¬ 


tions to a file, copy infected files to a spec¬ 
ified location, or delete infected files. 

Once a virus scanner identifies a virus, it 
can often eliminate the virus from the file. 
If you’ve enabled virus removal, the virus 
scanner’s file system filter driver removes 
the virus and writes a clean version of the 
file to the file system before the file open 
operation continues. This process is trans¬ 
parent to the program opening the file 
because the file system filter driver holds 
the CreateFile IRP until it finishes the 
scanning and cleaning steps. An application 
cannot distinguish introduced delays from 
delays that the application encounters 
when other programs read and write files. 

The organisation I’ve presented in 
Figure 2 isn’t the only strategy that on- 
access virus scanners can implement. 
Some solutions perform part of their pro¬ 
cessing in a Win32 program with a tight 
communications link to the file system fil¬ 
ter driver. This off-loaded processing can 
include anything from scanning or clean¬ 
ing the file to moving the file to the ded¬ 
icated directory and notifying the user via 
a dialogue box. 

That's a Wrap 

Remember that when you evaluate a virus 
scanner for your systems, the key factor is 
how many viruses the scanner’s library 
contains, rather than how much of the 
program the developers implement in a 
device driver. Of equal importance is 
whether the vendor provides online access 
to virus-library updates. With these points 
in mind and with your understanding of 
how on-access virus scanners integrate 
with NT, you’re well-equipped to select a 
virus scanner that meets your needs. □ 



Mark Russinovich holds a Ph D. in computer 
engineering and is an NT internals consultant 
in Nashua, USA. You can reach him at 
mark@ntinternals.com or at http://www. 
ntinternals.com. 
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Connecting 

Web Clients 

To Exchange 

Access your mailbox from your Web browser 




niversal client access is a big selling point 
for Exchange 5.0. With the new high-func¬ 
tion Outlook client, support for shareware 
and commercial POP3 clients, and support 
for Web browsers, Microsoft has addressed a majo^%eak- 
ness of Exchange by letting many new 
connect to an Exchange server. Mkrgj^l?will extendfhe 
range n ^^^t ^withsiipnoiiti^Mnternet Mail Acc 
Protocoi/4 (IMAP4) clients-in- the Exchangi 
(Osmium release due at the end of 1997. (For mor\ 
informatiln about the Exchange Osmium release, see the 
news stork “Exchange Server 5-5, beta, avajlahje,” that 
ippeared i| last months’ issue.) 

Witl|universal access,Web browsers can OTn^ect to 
mailboxes and pubhc folders held on an Exchange 
server. Most browsers are potential Exchange 
clients. In this article, I’ll look at how Microsoft 
has enabled access for Web browsers and 
(investigate whether you should use the Web 
* interface in your deployment. 

Active Messaging 

Let me begin by stating that the phrase 
| “Web client for Exchange” is technically 
: inaccurate, but it best conveys the sense of 
what happens. You can use any Web brows¬ 
er that supports frames and JavaScript to con¬ 
nect to a mailbox on an Exchange server. But 
the magic is not in frames or JavaScript. 
r Instead, the magic is in a set of Active Server 
Pages (identified by the .ASP extension that dif¬ 
ferentiates them from standard HTML pages) that 
W hold JavaScript or Visual Basic Script (VBScript) code. 

Active Server Pages don’t use ActiveX controls because 
ActiveX doesn’t run on platforms such as Apple Macintosh, 
IBM OS/2, and UNIX. 

The server, not the Web browser, interprets and executes 
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the code in Active Server Pages. You link a Web browser to 
Exchange through a server-side Active Messaging applica- 
tion.The Active Server Pages that link the Web to Exchange 
compose the Active Messaging application. 

Supported Web Servers and Browsers 

Only Microsoft’s Internet Information Server (IIS) 3.0 sup¬ 
ports Active Messaging.You can install IIS and Exchange on 
the same server, or you can keep them separate and connect 
them through the network. Also, Windows NT 3.51 does 
not support Active Server Pages, so you need to bite the 
/ bullet and upgrade to NT 4.0 Sasjke Pack 3 (SP3) on at 
Feast one server to support browfer^ccess to Exchange. 
(You can use NT 4.0 SP2 witl/lIS, butfl%*£pmbmation is 
buggyVi server running NT, 

mediat^passthrough access jp Exchange mailboxes- running 



NT 3.51. In this scenarjft, the NT 4.0 server passes func¬ 
tion falls to the Exchange server.The operating system ver¬ 
sion doesn’t matter. ____ 

Although Microsoft doesn’t support it, Active 
Messaging can access Exchange 4.0 mailboxes. However, 
many features, including directory access and the ability to 
create and send mail, don’t work when a Web browser con¬ 
nects to an Exchange 4.0 server. You can use Active 
Messaging in a mixed Exchange 4.0/5,0. site. In this 
tion, IIS runs on a server that also runs Exchange 5.0. All 
the links between clients and servers take place over the 
network. However, Microsoft does not support Webaccess 
to Exchange 4.0 mailboxes, even in a mixed Exchange 
4.0/5.0 site. If you’re interested in Web access to Exchange, 
upgrade your servers to 5.0. The upgrade to 5.0 is simple 
and avoids an over complicated configuration. 

Don’t assume that you can connect any old browsers 
(even the most recent variety with stated support for 
frames and JavaScript) to Exchange. For instance, Netscape 
2.02 supports both frames and JavaScript, but if you try to 
connect this browser to a mailbox, you’ll get the error 
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“JavaScript Alert: Failed to get inbox.” 
Active Server Pages contain code that con¬ 
trols client logons to Exchange to block 
older browsers that can’t provide the neces¬ 
sary support. Netscape 3.0 or Internet 
Explorer (IE) 3.02 (or later versions) work. 

Configuring Connections 

Exchange 5.0 installation creates a new root 
directory called YWEBDATA under the 
main Exchange server directory. Exchange 
allocates a subdirectory to each language. 
The \USA directory is the directory for 
English (US). All the Active Server Pages 
required to drive the Web client reside in a 
set of directories under this root. For exam¬ 
ple, the \WEBDATA\USA\PF directory 
holds all the Active Server Pages and graph¬ 
ics (.GIF) files necessary for authenticated 
access to public folders, and the YWEBDA- 
TA\ USA\ ANON directory holds the code 
for anonymous access to public folders. 

After you install the Active Server Pages, 
check to ensure that the HTTP protocol is 
enabled on each Exchange site that will sup¬ 
port Web browser access. Select the protocols 
container for the site configuration object 
and select HTTP. Click to see the properties 
for the protocol, as Screen 1 shows. On this 
screen, you can select whether anonymous 
users (people who don’t have a mailbox on 
this server and can’t establish an authenticat¬ 
ed identity) can access public folders and 
browse the Global Address List (GAL). 

The final step in establishing Web con¬ 
nectivity to mailboxes is to ensure that the 
Lightweight Directory Access Protocol 
(LDAP) is enabled on the Exchange server. 
Failure to enable LDAP will result in users 
seeing the message, “Sorry! The Microsoft 
Exchange Server is down or the HTTP 
Service has been disabled by an administra¬ 
tor. Please try your request again later,” when 
they attempt to log on. 

Allowing anonymous access to public 
folders is a three-stage process. First, you 
must adjust the properties for the HTTP 
protocol. Second, you must create a shortcut 
to each public folder you want to open for 
general viewing. Finally, you must change 
the permissions on each public folder to per¬ 
mit some level of access for anonymous 
users. By default, the permissions placed on 
a public folder allow no anonymous access. 


Genetal | Folder Shortcuts j Advanced | 

y* HTTP (Web) Site Settings 

£>ispty name: | i«aiiICT3aWE^inS g 

Directory came: |HTTP 


■ Screen 1: 
Setting the HTTP 
properties for a site 



■ Screen 2: 
Connecting to 
Exchange with IE 3.0 



The shortcuts are an important part of the 
mechanism that facilitates anonymous 
access. Without shortcuts, each time an 
anonymous user attempts to access a public 
folder the server must navigate through a 
potentially very large public folder hierarchy 
to build a list of open folders. 

Making the Connection 

To access your mailbox, point your brows¬ 
er to a universal resource locator (URL), 
such as http://<server_name>/Exchange. 
The same URL works locally and across 
the wider network. Screen 2 shows a logon 
dialog box in progress to let a user access 
my mailbox. 

You can insert a URL pointing to 
Exchange/Active Messaging in any 
HTML page. When someone accesses the 
page, IIS looks at its list of services to locate 
the root directory for Exchange. Typically, 
the root is \EXCHSRVR\WEBDATA, 
which contains the GLOBAL.ASA file. 
GLOBAL.ASA initialises the application 


and calls LOGON.ASP, the Active Server 
Page controlling the logon process. To con¬ 
nect, a user must enter the mailbox name 
(the alias or directory name is enough) and 
click the link to Exchange to get a pass¬ 
word prompt. Depending on the browser, 
you have a choice of basic (clear text) 
authentication or NT challenge/response 
(the type of logon MAPI clients use to 
connect to Exchange). NT challenge/ 
response (sometimes called NTLM) pro¬ 
tects passwords by encrypting the 
client/server exchange during the authen¬ 
tication process. Out of the box, Netscape 
Navigator supports only basic authentica¬ 
tion, and IE (2.0 or later) supports both 
types of authentication. You can update 
Navigator to support NTLM with 
Microsoft Authentication Proxy for Net¬ 
scape Navigator (MAPN), available for 
download at http://backoffice.microsoft. 
com/DownTrial/mapn.asp. Make sure you 
set the IIS password authentication prop¬ 
erties appropriately, as Screen 3 shows. 
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If you want to use NTLM, you must 
install and run IIS on every Exchange server 
that supports browser access to mailboxes. If 
you want to run IIS on one system to pro¬ 
vide access to many Exchange servers, you’re 
limited to basic authentication. Also, domain 
users need the right to log on locally to the 
system hosting IIS. 

Communications between browsers and 
the Active Messaging application use stan¬ 
dard HTTP Active Messaging interprets the 
commands coming from the browser 
(i.e., open a folder, read a message), translates 
the requests into MAPI function calls, and 
sends them to Exchange for processing. 
Exchange sees the Web client as just another 
client and doesn’t differentiate how it re¬ 
sponds to requests. Exchange sends the 
results of the MAPI function calls to Active 
Messaging, which translates MAPI into 
HTML and dispatches the resulting data to 
the browser for display. 

You can use Secure Sockets Layer (SSL) 
to encrypt the byte stream passing between 
browsers and Active Messaging. However, 
you must configure SSL before you can use 
it. IIS Help has configuration details. Part of 
the configuration process involves acquiring 
a key from a certification authority, such as 
VeriSign (for instructions, see http://www. 
verisign.com/microsoft). 

The link between Exchange and Web 
browsers is usually fast. Web clients initially 
exchange more data with the server because 
the Web client must download graphics and 
mailbox data. Over a session, the demands 
that either client makes are broadly equi¬ 
table, although clearly this situation varies 
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■ Screen 4: 

Browsing an Exchange 
folder through IE 


from user to user and depends on the work 
done in a session. My experience with dial¬ 
ing in to Exchange around the world shows 
that HTTP is often more reliable than 
remote procedure calls (RPCs) across 
extended telephone links. RPCs tend to 
time out when you encounter network 
problems, and you can use a browser to read 
and send mail when the Exchange or 
Outlook clients show that the server is 
unavailable. 


What Can You Expect to Do? 

Table 1 summarises the features you can 
expect to use with MAPI and Web clients. 
This table is only an overview and doesn’t 
include all the features available in the 
MAPI clients. 

Although Table 1 shows that the Web 
client lacks several features. Microsoft will 
address the missing features as development 
resources allow. For example, Exchange 5.0 
SP1 (released at the end of June 1997) sup¬ 
ports move/copy items and uploading 
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■ Screen 3: 

Changing the IIS password 
authentication options 


attachments. You’ll need to upgrade your 
server to NT 4.0 SP3 and upgrade the 
Active Server Pages to version 1.0b to sup¬ 
port these new features. All the necessary 
code is on the SP3 CD-ROM. A hot fix is 
available for NT 4.0 SP3 to cure a memory 
leak that occurs in Active Messaging appli¬ 
cations. Install this fix if you want to use 
Web clients for anything more than casual 
access. Hot fixes for NT are available from 
ftp: //ftp.microsoft. com/bussys/winnt/ 
winnt-public/fixes. 

Microsoft plans to include calendaring 
for Web browsers in the Exchange Osmium 
release. You can read Microsoft’s public 
position on calendaring at http:// www. 
microsoft.com/ Outlook/ documents/ 
OWA/Web_Acc.htm. Microsoft’s Ex¬ 
change development group demonstrated 
Web-based scheduling as long ago as the 
Exchange Deployment Conference in 
September 1996. However, Microsoft wrote 
the prototype Web integration with 
Schedule+ as one large Internet Server API 
(ISAPI) application. Now Microsoft has 
rewritten the calendaring application into 
a set of Active Server Pages.When released, 
the calendaring application will support 
both Schedule+ and Outlook-style calen¬ 
daring. 

With respect to electronic forms, 
Microsoft intends to move from the cur¬ 
rent Visual Basic-style implementation 
toward HTML-based e-forms. When this 
change occurs, we’ll have platform-inde¬ 
pendent e-forms. 
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The Look of the Client 

By definition, the Web client’s appearance is 
limited to what you can do with graphics, 





































frames, and data arranged within a browser’s 
display area. Browsers can operate under 
Windows but cannot take advantage of any 
one operating system. So independent 
scrolling of folders and folder contents is 
not possible, and the display doesn’t have a 
menu bar. Microsoft originally called the 
Web connection Oudook WebView, but 
changed the name to Outlook Web Access 
in Exchange 5.0 SP1. Associating browser 
connections with the Outlook name is a 
good indication that Microsoft plans to cre¬ 
ate a family resemblance (as far as possible) 
across all client email software. Screen 4 
shows the Web interface to Exchange. 

Microsoft isn’t the only company build¬ 
ing browser interfaces for email. Screen 5 
illustrates the interface for a free mail service 
at http://www.mailcity.com. With these 
services, the POP3 protocol capabilities 
limit the client’s functionality. 

■ Table 1: 
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■ Screen 5: 
m Using a free mail 
service on the Web 


Processing Mail 

You use separate windows to create new 
messages, read mail, set options (the only 
option available in this release is the Out of 
Office Assistant), and search the directory. 
The windows share a common appearance 


Feature Comparison Between MAPI and Web Clients 


Feature 

MAPI Client 

Web Client 


(Outlook or Exchange) 



Access any folder in a mailbox 

Access public folders 

Create and send new messages 

Reply to message 

Read .RTF text in messages 

Read attachments 

Forward message 

Set Inbox Assistant Rules 

Set Out of Office Assistant 

Change folder permissions 

Set and apply auto-signature text 

Use calendaring 

Access the PAB 

Access the GAL 

Create new folder 

Delete folder 

Move/copy folder 

Move/copy items 

Delete items 

Personal folder views 

Offline folders 

Access to personal folders 

Post new item in folder 

Encrypt or decrypt messages 

Add attachments to messages 

Apply digital signatures to messages 

Create user-specific folder views 

Process electronic forms 

Auto-archiving 


and are functior 
extended feat 
example, MAPI clients can use Ctrl+K to 
check addresses in a message header against 
the Exchange directory. The Web client 
waits to check address data until you 
attempt to send a message. 

Suppose, for example, that I send a mes¬ 
sage to Daragh Morrissey, and Daragh has 
two addresses in the Exchange directory. 
The Web client detects multiple address 
entries, flags an error, and displays the 
addresses to let the sender select the correct 
entry, as Screen 6 shows. Ideally, the sender 
clicks the correct address to place it in the 
message. Unfortunately, with the current 
browser interface, you must copy the 
address into the message header. 

The Web client correctly handles attach¬ 
ments and the Rich Text Format (.RTF) 
text in messages MAPI clients send. The 
Web client translates the .RTF text into 
HTML and displays it in the usual manner, 
as Screen 7 shows. The Web client retrieves 
attachments from the server and launches 
the appropriate application to process 
them, assuming the application is installed 
on the PC. In common with other 
Microsoft desktop applications, IE 3.0 sup¬ 
ports Object Linking and Embedding 
(OLE) in-place editing, so you can view 
Word, Excel, and PowerPoint documents 
within a browser window. 

Anonymous Access 

Anonymous access is a method for publish¬ 
ing the contents of public folders to people 
who don’t have Exchange mailboxes 
(e.g., during deploym 
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■ Screen 6: 
Resolving multiple 
addresses for a 
message 


■ Screen 7: 

Displaying RTF format 
content in a Read 
Message window 


people are migrating to Exchange).You can 
store lots of great information in 
public folders, and you’ll want everyone to 
have access. You can direct users to the 
default logon that Screen 2 shows and tell 
them to click the Public Access link, or you 
can create your own links to specific public 
folders. 

Exchange stores public folders in the 
public information store, one of the three 
major databases Exchange uses. The link 
pointing to a specific folder doesn’t make 
much sense. But Exchange knows how to 
use the link to navigate through the public 
information store to the right folder. For 
example, the Exchange server I use has a 
public folder that holds all the messages post¬ 
ed to the Internet mailing list for Exchange. 
To create a link on a Web page to this fold¬ 
er, I changed the client permissions for the 
folder to permit read access for anonymous 
logons. Then I used the administration pro¬ 
gram to modify the site HTTP object and 
create a shortcut to the folder. I logged on 
with anonymous access to the server and 
verified that I had access to the folder. I 
clicked Update Page Address to retrieve the 
complete link for the folder. The 
information appeared as a URL at the top of 


the browser, and I copied it to the clipboard. 
Next I opened the HTTP source of the 
page where I wanted to create the fink and 
added the following text: 

<a href="http : //dbo- 
exchangeist.dbo.dec.com/exchange/an 
on/root.asp?obj=000000001A447390AA6 
611CD9BC800AA002FC45A0300E181F44 
FDB37D011A5480020AFF54A230000000 
331810000”>lntemet Mailing List for 
Microsoft Exchange</a> 

This address is specific to a server. The link 
is cumbersome, but it works. 

Think of the possibilities of this func¬ 
tionality. You can easily publish marketing 
information to the Web or make technical 
support hints and tips from your Help desk 
available to users through a link on your 
company’s home page. 

Static and Dynamic 
Connections 

Today’s connections between Web clients 
and an Exchange server are static. The con¬ 
nections have none of the dynamic interac¬ 
tion that you see between the MAPI-based 
Outlook or Exchange clients. AWeb brows¬ 


er requests data from a server and displays 
the information in a graphical layout. The 
browser then waits for the next instruction. 
Client-driven rules, signals that new mail 
has arrived, or dynamic refreshes of folder 
contents do not happen with today’s tech¬ 
nology. However, this situation might 
change soon as the HTML standard evolves. 
Microsoft is pushing Dynamic HTML, an 
extension that lets you cache data to manip¬ 
ulate it on a local client. The first iteration of 
Dynamic HTML is in IE 4.0, and although 
it won’t immediately change the passive 
nature of the Web client, the advent of 
Dynamic HTML points to the future. 

Other developments will help, too. 
Request for Comments (RFC) 1867 details 
how to perform file uploads from Web 
browsers to a server. Netscape Navigator 
was the first browser to support this stan¬ 
dard, but a bug in the IIS scripting engine 
caused uploads to fail most of the time. 
Microsoft has fixed the IIS bug and added 
the client upload capability to IE 3.02 (you 
can get an add-on for IE 3.02 at 
http://www.microsoft. com/ie/download). 
An update to Active Messaging in 
Exchange 5.0 SP1 supports adding attach¬ 
ments to messages. 

Web Browsers Deliver 

Active Messaging is a neat application. 
Microsoft has fully exploited the potential 
of browsers to deliver real information in a 
useful manner. At the same time, the avail¬ 
ability of a Web client provides answers to 
some of the problems you can experience 
in large deployment projects. I’m curious to 
see how Microsoft continues to develop 
Active Messaging. A dynamic, full-featured 
Web client is not too far away. □ 



Tony Redmond is the technical director of 
Digital Equipment's European Messaging 
Team based Ireland. You can reach him at 
tredmond@mail. dec. com. 
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tricks 

&traps 


Can you summarise the steps for using 
Windows NT’s Directory Replicator 
service and tell me how to troubleshoot this 
service? 

A:Creating the Directory Replicator ser¬ 
vice does not have to be difficult. Keeping 
it working properly, however, can be frus¬ 
trating. 

To install NT’s Directory Replicator ser¬ 
vice, you need to have an export server and 
one or more import servers. 

1. On the export server, open 
User Manager for Domains in the Admin¬ 
istrative Tools. At the Primary Domain 
Controller (PDC), create a new user that is 
a default member of the Domain Users 
group. I named this user REPL. Be sure you 
clear the “User must change password at 
next logon” checkbox. 

2. Open Control Panel and run the 
Services applet. Choose Startup for the 
Directory Replicator service, and change 
the Startup Type from Manual to Automatic. 
In the Log On As control, choose This 
Account. Click the browse button on the 
right side of the window, and locate the new 
user account you added in step 1. Double¬ 
click the account name, add the appropriate 
password, and click OK.The system will dis¬ 
play the message that NT has granted the 
domain user the right to Log On As Service 
and added this user account to the 
Replicator local group, as you see in Screen 

1. (NT also adds the user account to the 
local Backup Operators group.) Click OK 
on the message box. 

3. Open Server Manager in the 
Administrative Tools, and double-click the 
name of the server on your network that 


you want to export files from. Click the 
Replication button, and select Export 
Directories, as you see in Screen 2. The 
\winnt\system32\repl\export directory is 
the default export directory. Click the Add 
button, and add the names of the machines 
that you want to export files to. Choose 
Manage to configure specific directories for 
export. By default, NT replicates (exports) 
the scripts directory. In addition, I usually 
click the entire subtree setting. 

4. Choose OK to exit the dialogue box. 
A message will appear that tells you NT is 
attempting to start the Directory Replicator 
service. If it does not start, check the appli¬ 
cation log in Event Viewer for application or 
network errors related to this service. 

5. The final step is to log on to the 
import computers and repeat step 3 for the 
import directories. Open Server Manager, 
and click the Replication button. Choose 
Add, and specify the name of the export 
server. 

Close the dialogue box after you specify 
the export server and configure the import 
path. Replication will begin within several 
minutes. Screen 3 shows files successfully 
replicated to an import client from an ex¬ 
port server. 

I always give the replication user explic¬ 
it full control permissions to the import 
directories on the import systems and the 
export directories on the export system. 

What if replication does not work? 
Check the following settings: 

1. Does the application log in Event 
Viewer show any messages for the Directory 
Replicator service? I have seen both applica¬ 
tion and network errors. Try to determine 
the cause of the message (most messages are 
numbers; go to a command prompt and type 


Net Helpmsg "msg#" 

to get an explanation of the problem). 
Check the application logs on the import 
and export systems. 

If you are importing files to multiple sys¬ 
tems, check whether all the machines 
exhibit the same problems. If not, you know 
the problem is system specific and probably 
relates to a permission or setup issue. 

2. What time zones are the import and 
export computers running in? Replication 
is time dependent, so time delays could 
affect the replication of your files. In local 
domains, always synchronise the time 
between the export and import computers. 

3. Does the import computer have 
Backup Operator privileges. At a minimum, 
the \import directory and \import\scripts 
directory must have change permissions. 
The Backup Operators group must also 
have permission to back up and restore files 
and directories. If these permissions are not 
set, you will see errors 5,1300, and 1307 in 
the application log in Event Viewer. 

4. Are the import and export computers 
in different domains? If so, make sure the 
password and username are the same in both 
domains, and that the domains trust each 
other. 

5. Make sure the files or directories you 
are repheating don’t have any extended 
attributes (e.g., special access). These can 
cause replication problems. 

6. If either the export directory or the 
import directories are on an NTFS parti¬ 
tion, use NT Explorer or File Manager to 
look at the access control lists (ACLs) on the 
import and export trees. Make sure the 
Replicator local group has at least change 
permissions for these directories. 
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7. Check to see whether a user account 
has a file always open on either the import 
or export computer. If so, you will see a file 
open error (error 32) as a sharing violation 
in the Event Log on both of the machines. 

8. Make sure you can locate a REPL$ 
share on the export computer (the 
Directory Replicator service creates this 
share).The Directory Replication dialogue 
box also sets an ACL for the REPL$ share. 
Using the Net command or other means to 
create the REPL$ share will probably cause 
problems. 

9. Run the Net Start command on 
the export and import computers, and make 
sure both computers list the Directory 
Replicator (or equivalent) service. 

10. If either the import directory or the 
export directory is on an NTFS partition, 
do any of the same files in these directories 
differ only by case? Unfortunately, you can’t 
predict which file NT will replicate in this 
situation. For example, the export comput¬ 
er may send a file with a lowercase file¬ 
name, and the import computer may 
receive a file with an uppercase filename. 
This situation results in the replication 
being out of sync. 

11. If the export computer is running 
OS/2 or UNIX and the import computer 
is running NT, is the export computer’s 
local time within half an hour of the 
import computer’s time? If not, the NT 
network redirector will produce time con¬ 
flicts and cause the system to try to copy 
everything again and again. In this situa¬ 
tion, replication may never occur. 

12. Some versions of the OS/2 im¬ 
porter leave the archive bit set for all files 
imported, regardless of whether the bit was 
set on the export side. This situation can 
result in continuous copying. One 
workaround is to set the archive bit for all 
files on the export computer (NT to NT 
replication correcdy clones the archive bit). 

13. Some LAN Manager 2.1a import 
computers do not set their status file to 
OK.RP$ (replication is OK). The 
Directory Replicator service won’t recopy 
files each time the export computer sends 
files to the import computer, but the ser¬ 
vice will compare the files. Except for not 
establishing the correct state of the status 
file, the service correctly replicates the files. 


This behaviour does not occur on LAN 
Manager 2.2 importers. 

14. Some versions of LAN Manager for 
OS/2 and UNIX allow hard disk files with 
reserved names, such as LPT1 or COM1. 
Do not use such file names. 

15. LAN Manager for OS/2 has a 
design limitation that prevents it from using 
more than one set of credentials (a user- 
name and password) at a time. That way, for 
example, if a user interactively logs on with 
one user ID and the Directory Replicator 
service tries to use a different user ID, the 
Directory Replicator service can’t replicate 
any files until the interactive user logs off. 
However, if the interactive user and the 
Replicator user have the same user ID, 
replication is possible, depending on the 


■ Screen 1: 
Enabling the Directory 
Replicator service 


■ Screen 2: 
Configuring NT's directory 
replication import and 
export directories 


■ Screen 3: 

Viewing files on the 
import machine that have 
been successfully 
replicated 


value of the TryUser value in the 
lanman.ini file. 

16. Import computers running LAN 
Manager for OS/2 and UNIX are general¬ 
ly limited to 1000 files per directory (keep 
in mind that the and the directory 
entries use 2 of these 1000 entries). 

17. Are you replicating files from a 
High-Performance File System (HPFS) 
partition (written by OS/2) to an NT serv¬ 
er? If any of these files have extended attrib¬ 
utes, you might run into problems. OS/2 
might have written the extended attributes 
in discontiguous parts of the export hard 
disk, and NT does not support this struc¬ 
ture. The Directory Replicator service 
includes the extended attributes sizes in its 
checksums, and these values may be wrong 



































in this situation. Wrong values could cause 
directory replication to stay out of sync per- 
manendy. You can use NT to rewrite the 
same values for the extended attributes to 
one contiguous area, if you know their orig¬ 
inal values. 

18. If a router separates the import and 
export computers, go to Replication under 
the Server applet in the Control Panel and 
add their machine names to the export To 
List and the export machine name to the 
import From List. This step forces name res¬ 
olution across the router and should syn¬ 
chronise the computers with the domain. 

I’ve had good luck using NT’s Directory 
Replicator service across a local domain. 
However, I’ve encountered problems when 
trying to replicate files across multiple 
domains where routers and switches are 
involved. In these situations, I recommend 
an application such as Octopus Super 
Automatic Switch Over (SASO) 2.0. 

I’ve noticed that Microsoft advocates the 
use of Windows Internet Name Service 
(WINS) files over LMHOSTS files, partic¬ 
ularly when browsing a domain is an issue. 
Can you explain the difference in using each 
on networks and specifically for browsing 
capabilities? 

A: Microsoft provides an excellent 
Knowledge Base white paper on this issue at 
http://www.microsoft.com/kb/articles/ 
ql50/8/00.htm. According to the white 
paper, Microsoft suggests that all large, mul- 
tisegmented TCP/IP networks that use 
routers will run best with WINS. In such sit¬ 
uations, WINS typically handles the com¬ 
plex browsing and configuration for these 
diverse and complex LANS or WANS. 
However, some large networks still need sta¬ 
tic mapping, and LMHOSTS files work well 
in these situations. 

Browsing a Microsoft network is a dis¬ 
tributed service that one or more comput¬ 
ers provide. Each computer can take on sev¬ 
eral browser roles. The most important roles 
are the segment master browser (SegMB) 
and the domain master browser (DomMB). 

The SegMB can be any NT Server, NT 
Workstation, domain controller, Win95, or 
Windows for Workgroups (WFW) 3.11 PC. 
The SegMB maintains a browse list of the 
computers within its local segment and for¬ 
wards this fist to the DomMB. The SegMB 


then requests the domain browse list from 
the DomMB. The SegMB merges the 
domain list with the local list, and makes the 
combined list available to local clients. 

The DomMB is the NT Primary 
Domain Controller (PDC). It maintains the 
browse fist for its local segment (i.e., it acts 
as a SegMB) and collects browse lists from 
other (remote) SegMBs with the same 
domain name (or Workgroup Name = 
DomainName). The DomMB merges the 
lists it collects with its local list and redis¬ 
tributes the combined list to all remote 
SegMBs. Thus, the DomMB serves as the 
central hub for maintaining the domainwide 
browse list. To determine which machine is 
the DomMB, the SegMBs locate the com¬ 
puter with the registered NetBIOS name of 
Domain<lb> (only the PDC, which is the 
DomMB, can register this name). 

Browsing with WINS 

In a WINS environment, a SegMB queries 
WINS to determine which machine regis¬ 
tered the NetBIOS name of Domain<lb>. 
In this case, WINS provides a convenient 
central resource for this information. 

WINS can help browsers in a multi- 
domain browsing environment. A PDC set 
up to query WINS periodically requests the 
list of all domains registered in the database. 
A domain is identified by a Domain<lb> 
registration in the WINS database and the 
associated IP address of the PDC that regis¬ 
tered it. The PDC combines this list with its 
domain browse fist to build a complete list 
of computers in the PDC’s domain and 
other domains across the WAN. The PDC 
provides this complete list to its SegMBs. 
Once the PDC has distributed this list, you 
see all the computers on the browse list 
when you use File Manager or Network 
Neighborhood to view the network. 

(Providing information to the browsers 
in a network is the extent of WINS’s 
involvement with browsing. It does not par¬ 
ticipate in the browser election process or 
help clients determine which computer is 
the SegMB or the DomMB. The process of 
identifying the DomMB occurs when the 
SegMB first contacts the DomMB.) 

Browsing with LMHOSTS 

In contrast to browsing with WINS, using 
LMHOSTS files requires special 
LMHOSTS entries that designate which 


machines are the domain controllers. 
Specifically, LMHOSTS files use the follow¬ 
ing convention: 

199.199.199.1 ComputerName #PRE 
#DOM:DomainName 

When you boot a computer, it reads 
these entries and stores them in the 
NetBIOS name cache until you turn off the 
computer. Therefore, storing these entries 
last in the LMHOSTS file is best for subse¬ 
quent LMHOSTS parsing efficiency. All 
computers in the domain need one of these 
entries for each local domain controller and 
one for the PDC. Also, note the order and 
capitalisation of #PRE and #DOM in the 
entry (the other names in the entry are not 
case sensitive). 

Having these LMHOSTS entries is suf¬ 
ficient for an NT computer: an NT-based 
SegMB computer determines which 
machine is the PDC by sending a query 
(using the NetGetDcName API) to all 
LMHOSTS entries with the #DOM: 
<localdomain> designation. Only the PDC 
responds to this command. The NT-based 
SegMB computer then contacts the PDC, 
informs the PDC that it’s a master browser, 
and continues the process of getting the 
domain browse list. The PDC then contacts 
the SegMB computer to get the local seg¬ 
ment browse list.This process of exchanging 
lists repeats every 12 to 15 minutes. 

Win95 and WFW SegMBs are different. 
They do not perform the NetGetDcName 
API, so they need entries in the LMHOSTS 
file that identify which machine is the PDC. 
Assuming the example LMHOSTS entry 
above is the PDC, you would have two 
entries for a Win95 or WFW client: 

199.199.199.1 controllerl #PRE 

#DOM:domainname 

199.199.199.1 "domainname \0x1b” 

#PRE 

The first entry lets the PDC act as a 
logon domain controller for the client, and 
the second entry lets the client browser ser¬ 
vice find the PDC. You will probably have 
multiple entries similar to the first line (for 
multiple domain controllers), but only one 
entry with the \Oxlb directive (to designate 
the PDC). Note that the domain name must 
be in quotes and padded with spaces for a 
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total of 15 characters before the \0xlb por¬ 
tion (the example above shows commas for 
visual placeholders; however, these commas 
would be replaced with spaces in a real 
LMHOSTS file). Let’s look at an 
LMHOSTS example. 

LMHOSTS Example 
If your domain name is bobsplace, your 
PDC NetBIOS name is bobl, and you have 
other various backup domain controllers 
(BDCs), your LMHOSTS file will look like 

199.199.199.1 "globe \0x1b"#PRE 

199.199.199.1 bobl #PRE #DOM:bob- 
splace 


199.199.199.2 otherdcl #PRE #D(Mbob- 
splace 

199.199.199.3 otherdc2 #PRE #DOM:bob- 
splace 

LMHOSTS files are limited in multi- 
domain environments because they don’t 
automatically provide multidomain brows¬ 
ing as WINS does. In a WINS environment, 
the PDC will query WINS for a list of 
remote domains and add that information 
to its browse list. However, in an 
LMHOSTS environment, the PDC doesn’t 
parse the LMHOSTS file for the same 
information, and it doesn’t include other 


\0xlb entries with the #PRE (cache) 
directive. If your PDC does not query 
WINS, you can’t see other domains through 
File Manager or Network Neighborhood. 
However, you can still browse other 
domains manually, based on broadcasts if 
you know the domain name and if you have 
special entries in your LMHOSTS file. 


Send us your tips and questions. You 
can also visit Bob Chronister's online 
Tricks & Traps at http://www.winntmag. 
com/forums/index.html. 
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Logos and space - the final frontier 


Ever stare blankly at your computer and thin 1 ' 
how a Friesian cow or flying windows str 
out of Play School were chosen as IT icor 
Well don't be fooled by simplicity. Even < 
design of blue and black with a white 
arc can become something very, very 
...deep. The guys at Modus Media 
International must love star gazing as 
its recent Australian launch the logo was 
revealed to contain meaning of galactic pro¬ 
portions. The blue represents Earth, white 
the Sun, and black Outer Space. Just some 
advice - cut down on the herbal tea. 


neers, came down to Sydney a while ago he 
lamented the fact that politicians usually have 
very little knowledge of IT. Unfortunately his 
statement has already proved itself truthful for 
Australia, with two politicians admitting their 
computing ignorance at a recent Compaq 
function. 

"I need someone to show me what buttons 
to press to get onto the Internet," stated the 
very amiable - but perhaps underqualified - 
Hon. John Moore MP, who just happens to be 
the minister for industry, science and technol¬ 
ogy. Ms Sandra Noir, a parliamentary secre¬ 
tary for the Port Jackson area, also conceded 
that "I need to get my kids to help me get 
onto the Internet," although she admittedly 
has less need of IT knowledge. Still, should 
they really be so honest with the media? 


Big brother will reall y 

be watchin g you now 


It was mentioned in a previous 
Scan piece that Microsoft was 
working on voice recognition tech¬ 
nologies, so that in future you can 
talk to your PC. Well now that 
looks almost old hat with the 
announcement that Microsoft is 
also working on visual recogni¬ 
tion. That's right, your computer 
will be able to recognise you, . 

through gesture recognition 
and head, eye and body 
tracking. Of course, it's still in the R + D stage but 
hey, you have to wonder at the sinister uses it can be put to. 




Once upon a time companies used code 
names to describe projects that were still 
secret - as such, anyone overhearing a high level 
discussion would have no idea what the people 
were talking about. 

Alas, those days are no more and not only are 
code names used by com- 
r panies at press functions, 
they're now starting to 
become the full name of the 
k product. At least, that's what 
| seems to have happened to Intel's Merced 
[ processor, which all of a sudden has a trademark 
placed upon it.Then again, maybe that's 
because calling a chip 'Hexium' would provide 
| satanic overtones. 
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They don’t make coffee or tell jokes. But StorageTek’s automated cartridge systems 
will improve the quality of life around the office from Day One. Using high-performance 
robotics, our systems back up, retrieve, load and manage all your data. And save you 
a small fortune, too. They work in a wide range of distributed computing environments | 
and deliver mainframe storage performance, without the mainframe price. 

| For more information, just call 02 9438 4844, ext. 606. Or visit our Web site. 


www.storagetek.com/robo 






Think tape backup. 
Think Seagate. 



SEAGATE SCORPION® (DAT) 

Capacities from 2CB to 96GB. 
High-performance backup system 
for servers and workstations. 


SEAGATE HORNET® (Travan) 

Capacities from 3.2CB to 8CB. 
High-performance for desktop, workstation 
and server backup. 


SEAGATE SIDEWINDER® 

(AIT—Advanced Intelligent Tape) 

Capacities of up to 50GB. 
High-performance backup for 
mid-range servers. 


Seagate TapeStor Travan and Seagate TapeStor DAT 

products include software and accessories for a complete solution. WWW.seagate.com 

For more details, 
call your local distributors 


Seagate 
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